News Stay informed about the latest enterprise technology news and product updates.

New analysis shows exploits closing in on networks

A new study shows the window between vulnerability and exploit code releases has narrowed from months to mere days.

Companies have repeatedly been warned that each new worm brings attackers closer to the point of exploit code being...

released the same day software vulnerabilities are announced; thus, businesses can no longer rely on the patch-as-you-go approach to network security.

Executives who remain skeptical now have some numbers to chew on, with the release of a new analysis that shows the vulnerability-to-worm cycle tightening from 288 days in 1999 to just 10 days in 2004.

"The No. 1 message for businesses is that it's truly impossible to patch everything in time, and that they need to adopt an approach that blocks threats and buys their IT staff time to determine the best fixes for their systems," said Stuart McClure, president and chief technology officer for Mission Viejo, Calif.-based security firm Foundstone Inc. and author of the analysis. "If past warnings haven't convinced you, this should."

IT security is a chess game in which cyberattackers have the white pieces and thus move fast.
John Pescatore
security analystGartner Inc.

The research is centered on high-profile worms released between 1999 and 2004, including Melissa, Sadmind, Sonic, Bugbear, Code Red, Nimda, Spida, MS SQL Slammer, Slapper, Blaster, Witty and Sasser. McClure reviewed worms that took advantage of user interaction – opening e-mail attachments, for example – and remotely controlled bots, but didn't include them in the report to keep the focus on automated threats.

McClure said the numbers show an "alarming" and "dramatic" trend toward zero-day exploits, a prospect that has put increased pressure on IT departments to patch vulnerabilities faster than ever.

"You can't avoid patching," McClure said. "But you need to buy yourself some time to determine the best fixes for your system." Companies reluctant to spend a lot of money on new blocking technology need to understand that the consequences of being unprepared when an attack comes could be far more costly in the long run, he added.

"In today's world, it's nearly impossible to protect your enterprise's digital assets without a vulnerability management system," added Dave Cole, vice president of product management for Foundstone.

John Pescatore, an analyst for Stamford, Conn.-based research firm Gartner Inc., agrees.

"IT security is a chess game in which cyberattackers have the white pieces and thus move fast," Pescatore said in a news release. "Organizations can control the middle of the chessboard by implementing vulnerability management and intrusion prevention approaches to prevent and respond quickly to attacks."

For more information on the study, click here.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.