Companies have made significant strides in patching against vulnerabilities that threaten the perimeter, but fixing internal flaws is still a big problem, a researcher said in findings he presented at this week's Black Hat security meetings in the US.
At last year's annual Black Hat gathering, Gerhard Eschelbeck, the chief technology officer of US firm Qualys, laid out what he dubbed the "Laws of Vulnerabilities," a number of observations about security flaws' behavior.
Basing his research on statistical analysis of some 1.24 million vulnerabilities scanned over an 18-month period, Eschelbeck noted then that critical vulnerabilities, such as those exploited by Slammer, Code Red, and last year's MSBlast, have a "half-life" of 30 days.
In other words, about 50 percent of the vulnerable systems were patched within the first 30 days of a vulnerability's disclosure.
The news now is considerably brighter.
His revised research -- now based on a look at over four million critical vulnerabilities collected from a two-and-a-half-year period -- points to a significant drop in half-life of threats to enterprises' perimeters.
"The half-life went down from 30 days to just 21," said Eschelbeck. "That's a dramatic improvement."
The drop in the time it takes half of enterprises to patch against the most serious perimeter vulnerabilities has several causes, said Eschelbeck, including a better grasp of prioritising problems and more automated patch management and deployment technologies being put into place.
"That's the good news. The not so good news is that internally, within the perimeter -- places like the data centre, mail servers, web browsers, even desktops -- the half-life is still 62 days. That gives exploits a lot of breeding ground, and leaves systems with a window of exposure that is just too big."
Vulnerabilities that threaten the guts of the network get short shrift, said Eschelbeck because people perceive the perimeter as more exposed. "So they're starting the patching process there. And there are usually fewer devices on the perimeter. Where a company might have 50 systems on the perimeter, it could have 50,000 internally."
Like last year, Eschelbeck plans to challenge the security community to put the shoulder to a collective wheel. "Last year, I challenged the community to reduce the half-life of external vulnerabilities to 15 to 21 days, and we're almost there. Now I'm challenging them to reduce the internal half-life to 40 days. That's very doable."
Recent attacks have proved his point that systems within the firewall are vulnerable, particularly the sneaky infection of machines running Internet Explorer last month by a bunch of Russian hackers out to steal financial information.
Numerous security vendors are pushing intrusion detection and intrusion prevention systems as a way to block exploits of internal vulnerabilities by examining network traffic for weird behaviour and other anomalies that might indicate an attack is in progress. But Eschelbeck doesn't think they're ready for prime time.
"IDS/IPS seems to be the next big thing, but they're very early on the technology curve," he said. "Enterprises will have to live with a kind of combination of technologies for a long time to come."
In other findings drawn from his analysis, Eschelbeck reiterated last year's remarks that hackers strike while the iron is hot, so to speak, and that there's always a new supply of vulnerabilities to manage.
About 80 percent of exploits of vulnerabilities hit within the first two half-life cycles -- 42 days for exploits against the perimeter, 124 says for those attacking internal systems, Eschelbeck said.
And no matter what IT does in the short term, vulnerabilities will always be around. "There's a constant flow of new critical vulnerabilities to manage." About half of the most prevalent and dangerous vulnerabilities, he said, are replaced on an annual basis with new threats. Busy hackers....
But not all exploits fade away; some have essentially unlimited life spans.
For instance, Eschelbeck's research noted that there were significant spikes in the occurrence of MSBlast and Nachi worm infections in 2004, months after they originally appeared.
In fact, the Windows vulnerability exploited last summer by MSBlast remains number three and number two, respectively, on Qualys' current Top 10 list of external and internal vulnerabilities.
The list, which is updated daily, includes several other oldie-but-goodie vulnerabilities that have long, long legs, including three more Microsoft flaws harking back to 2003.
For now, the one thing that companies can do is concentrate on beefing up defences within the firewall, and patching systems there faster.
"Internal threats are living longer than those against the perimeter," he concluded. "That's the biggest message. Companies simply have to focus on the internal aspects of their networks."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
