WASHINGTON, D.C. -- Security pros deserve a pat on the back, according to one researcher, for applying patches more quickly than ever before. However, a disturbing shift in where vulnerabilities occur could foreshadow the next generation of threats.
Speaking at the CSI 32nd annual Computer Security Conference this week, Qualys Inc. CTO Gerhard Eschelbeck announced the findings of his annual "Laws of Vulnerabilities" research, and there may be reason for optimism.
Eschelbeck, a former virus-hunter for McAfee Inc., said this year's data on vulnerability "half-life" -- the length of time it takes users to patch half of their systems -- shows organizations are patching critical vulnerabilities in outward-facing systems within in average of 19 days, two days faster than last year and 11 days faster than in 2003.
He said progress is being made on inward-facing systems as well, with the half-life of critical vulnerabilities there dropping to an average of 48 days, two weeks sooner than in 2004.
Eschelbeck said scheduled patch releases from major vendors like Microsoft and Oracle Corp. have made the patching process easier. "A lot of people are putting a more concerted effort into prioritizing their patches," Eschelbeck said. "When you do a predefined, coordinated effort, it allows people to patch faster."
And for good reason. According to the research, 80% of exploits enter the wild within 90 days of when a vulnerability goes public. Plus in the case of a worm outbreak, the first two weeks are the most critical.
"Most of the systems that aren't patched become a victim [of a worm] in that first 15 days," Eschelbeck said.
Billed as the first research effort examining security vulnerabilities, the Laws of Vulnerabilities findings are culled from a statistical analysis of thousands of critical vulnerabilities collected on an aggregate basis from millions of scans performed across thousands of participating networks.
The intent, Eschelbeck said, is to gauge whether the industry is making patching progress. "In all the articles we read," he said, "there seem to be more questions than answers."
Though Eschelbeck's data suggests organizations are applying patches more quickly, the news isn't all good. Eschelbeck said more than 60% of the most recent quarter's vulnerabilities were client-side, meaning they affected specific applications such as Internet Explorer and Adobe Acrobat or software plug-ins like Macromedia Flash.
"There's a significant shift from server-side vulnerabilities to the client side," he said. "I think researchers are moving to the client side because there is still a lot of low-hanging fruit out there."
In the next year or so, he expects even more client-side vulnerabilities to surface. Making matters worse, Eschelbeck said going forward up to 4% of each year's vulnerabilities will remain persistent, meaning their lifespan could be infinite.
Attendee Mike Smith, senior IT security engineer with AEPOS Technologies Corp. in Hull, Quebec, said overall the data suggests that the industry is moving in the right direction. But, he added, it may not be possible for the research to paint a truly accurate picture of the industry.
"People who are more security-aware are the ones downloading and running the tool," Smith said, noting that participation in Eschelbeck's research requires voluntarily submitting data, which many of the less secure organizations likely aren't eager to do.
Still, Eschelbeck reaffirmed that patch prioritization is the best way to stay secure, noting that 90% of vulnerability exposure is caused by a mere 10% of critical vulnerabilities.
"There is no way to fix every single vulnerability in your enterprise," Eschelbeck said," and you don't need to do so."