Black Hat: Vulnerability mitigation is working, sort of
The average time between disclosure of a vulnerability and the time when half of its occurrences have been eliminated (i.e., patched) – referred to as its half-life – is 29.5 days, said Wolfgang Kandek, CTO of vulnerability management provider Qualys in a presentation Wednesday at the Black Hat conference in Las Vegas.
Also, the window for the availability of exploits is constantly shrinking. It is now in the single digits, in terms of the number of days, he said.
These numbers were based on a study of dynamics in the vulnerability life cycle begun by Qualys in 2001. The most recent study, “The Laws of Vulnerabilities 2.0,” covers anonymous sampling from 104 million vulnerability scans made during 2008, resulting in discovery of 680 million flaws.
The numbers, however, could be better, Kandek said. The reason they are not is because threats have increased, along with the efforts to mitigate vulnerabilities.
The problem is not as bad at the operating system level, he said. For example, Microsoft Windows patches are typically applied quickly. And external services seem to be well-protected.
That is not the case at the application level, Kandek said. Applications do not seem to be receiving enough attention by IT administrators.
One of the best ways to alleviate exposure is to try to speed up the patch cycle and try to partition vulnerabilities off by addressing problems that pose greatest risk, he said. Security administrators should develop a patching strategy that is based on the risk profile of machines, and segment applications using a tool for automatic application of patches.
The industry sectors monitored in the study include service, finance and insurance; wholesale Trade, health care and manufacturing. Four metrics are quantified, besides vulnerability half-life. There others are: prevalence, or the the turnover rate of the top 20 vulnerabilities in a year; persistence, or the live span of vulnerabilities (virtually unlimited); and exploitation, or the time between the discovery and the first attack.