Companies have repeatedly been warned that each new worm brings attackers closer to the point of exploit code being released the same day software vulnerabilities are announced; thus, businesses can no longer rely on the patch-as-you-go approach to network security.
Executives who remain skeptical now have some numbers to chew on, with the release of a new analysis that shows the vulnerability-to-worm cycle tightening from 288 days in 1999 to just 10 days in 2004.
"The No. 1 message for businesses is that it's truly impossible to patch everything in time, and that they need to adopt an approach that blocks threats and buys their IT staff time to determine the best fixes for their systems," said Stuart McClure, president and chief technology officer for Mission Viejo, Calif.-based security firm Foundstone Inc. and author of the analysis. "If past warnings haven't convinced you, this should."
The research is centered on high-profile worms released between 1999 and 2004, including Melissa, Sadmind, Sonic, Bugbear, Code Red, Nimda, Spida, MS SQL Slammer, Slapper, Blaster, Witty and Sasser. McClure reviewed worms that took advantage of user interaction – opening e-mail attachments, for example – and remotely controlled bots, but didn't include them in the report to keep the focus on automated threats.
McClure said the numbers show an "alarming" and "dramatic" trend toward zero-day exploits, a prospect that has put increased pressure on IT departments to patch vulnerabilities faster than ever.
"You can't avoid patching," McClure said. "But you need to buy yourself some time to determine the best fixes for your system." Companies reluctant to spend a lot of money on new blocking technology need to understand that the consequences of being unprepared when an attack comes could be far more costly in the long run, he added.
"In today's world, it's nearly impossible to protect your enterprise's digital assets without a vulnerability management system," added Dave Cole, vice president of product management for Foundstone.
John Pescatore, an analyst for Stamford, Conn.-based research firm Gartner Inc., agrees.
"IT security is a chess game in which cyberattackers have the white pieces and thus move fast," Pescatore said in a news release. "Organizations can control the middle of the chessboard by implementing vulnerability management and intrusion prevention approaches to prevent and respond quickly to attacks."
For more information on the study, click here.