Breaking News - Security:
Research Demos Growing Threat To Internal Networks
Gerhard Eschelbeck, CTO of Qualys Inc, a provider of on demand vulnerability
management solutions, unveiled new research as part of his well-known "Laws of
Vulnerabilities," analysis derived from the industry's largest database of
security vulnerability information. The research shows that significant
improvement has been made during the last year in protecting networks at the
perimeter but that systems within a corporate network are in greater jeopardy
of being attacked.
Specifically, the data outlines that companies currently take 62 days to patch
their internal systems, as opposed to 21 days for systems connected directly
to the Internet. This window leaves internal systems and applications, such as
Internet browsers and mail servers, vulnerable to attack. These and other
trends were drawn from a statistical analysis of nearly 4 million critical
vulnerabilities collected by 6.5 million scans during a two and a half-year
period. Last year, the research was derived from 1.5 million scans during a
one and a half-year period.
"Clearly, the research shows that there continues to be significant security
concerns regarding internal networks. This is the first time we've had real
data to show exactly how vulnerable these systems are. As an industry, we
cannot focus only on the perimeter as this leaves our internal systems
vulnerable to attack," said Howard A. Schmidt, former cyber security advisor
to the president. "Gerhard's research provides a unique analysis of global
vulnerability data that helps predict trends, identify threats and effectively
protect networks."
The full findings from the research can be found at www.qualys.com/laws and
are summarized as follows:
- Half-Life: The half-life identifies the length of time it takes users to
patch half of their systems, reducing their window of exposure. The half-life
of critical vulnerabilities for external systems is 21 days and for internal
systems is 62 days. This number doubles with lowering degrees of severity.
- Prevalence: Fifty percent of the most prevalent and critical
vulnerabilities are replaced by new vulnerabilities on an annual basis. In
other words, there is a constant flow of new critical vulnerabilities to
manage.
- Persistence: The lifespan of some vulnerabilities and worms is unlimited.
In fact, the research shows significant spikes in the occurrence of Blaster
and Nachi worm infections in 2004, months after they originally appeared.
- Exploitation: The vulnerability-to-exploit cycle is shrinking faster than
the remediation cycle. 80 percent of worms and automated exploits are
targeting the first two half-life periods of critical vulnerabilities.
"We have made significant progress in shortening the window of exposure for
external systems; however, the focus on internal systems must be addressed,"
said Eschelbeck. "Vulnerabilities to Web browsers, data centers, mail servers
and other internal systems show up consistently in our top list of the most
critical vulnerabilities. In most cases, worms are circulating faster than
systems being patched inside the network, and organizations have to be more
aggressive about protecting their internal systems."
In addition to providing trend data on vulnerabilities, Qualys is also
publishing a real-time list of the top 10 most critical and prevalent
vulnerabilities on both internal and external systems. As described above, the
Law of Prevalence shows there is a constant flow of new critical
vulnerabilities, requiring companies to stay ahead of changing threats. As a
result, the "Top 10 Internal" and "Top 10 External" lists will be updated
automatically and continuously. The Top 10 lists can be found online at
www.qualys.com/top10.
|
