Speaking to the Black Hat conference in Las Vegas yesterday, Eschelbeck said that the so-called half-life of vulnerabilities – the time it takes for half of initially vulnerable systems to be patched – is down in 2004, from 30 days to 21 days.
That represents significant progress on last year, he said. It is, however, at least a day shy of Eschelbeck’s 15 to 20 day challenge to the industry presented at last year’s Black Hat.
Eschelbeck said that organizations are far speedier at patching external systems – demilitarized zone services such as web servers for example – than they are at patching behind-the-firewall vulnerabilities.
The half-life of these vulnerabilities is 62 days, he said. Comparable figures from previous years were not available. Eschelbeck challenged the assembled security professionals to get this down to 40 days by next year.
While people can patch ten or 50 external systems fairly easily, patching 50,000 internal systems is not as easy, Eschelbeck said. He added that companies put too much emphasis on their perimeter security, which can be porous.
The research also indicates that the larger the installed base of vulnerable systems, the more likely a worm is to be written, usually during the first two half-lives (42 days) after public disclosure, Eschelbeck said.
All of Eschelbeck’s data comes from vulnerability scans performed by its customers. This means, of course, that the research only reflects the performance of companies that are already security-conscious.
Is the real world internet more dangerous than that? My opinion is yes it is, he told attendees.
