Finding patterns in patches
- By William Jackson
- Jul 29, 2004
LAS VEGAS'The pace of patching for network vulnerabilities is speeding up, but not as quickly as the production of worms to exploit them.
That is one of the laws of vulnerabilities discovered by Gerhard Eschelbeck, chief technology officer of Qualys Inc. of Redwood, Calif., from more than two years worth of scans of Internet-connected devices.
That is probably not surprising to hackers and security experts attending the Black Hat Briefings this week, but Eschelbeck has been able to quantify some of the real world behavior of vulnerabilities and the worms that exploit them.
Qualys provides a Web-based vulnerability scanning service, and since January 2002 Eschelbeck has tabulated the results of 6.2 million IP scans. Some 3.8 million critical vulnerabilities turned up in those scans, and he saw a clear pattern in patching activity.
'The behavior of patching on the Internet is similar to radioactive decay,' he said. The number of devices with a given vulnerability drops by one half at regular periods.
That half-life has been getting shorter. In 2003 the half-life of a critical vulnerability on an outward-facing device was 30 days, Eschelbeck said. This year it is 21 days.
'That is a significant improvement, but not good enough,' he said. 'There is still some room for improvement. I think realistically we can get it down to 10 or 15 days with automated tools.'
There is more room'and more need'for improvement for internal networked devices, where the half-life is 62 days. Eschelbeck issued a challenge during the Black Hat Briefings for administrators to bring that number down to 40 days by next year.
The four laws of vulnerabilities identified by Eschelbeck are:The half-life of critical vulnerabilities is 21 days on external devices and 62 days on internal systems. Half-life doubles with vulnerabilities of lower degrees of severity.One half of the most prevalent and critical vulnerabilities are replaced by new ones annually.The life span of some vulnerabilities and worms is unlimited.The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. Eighty percent of worms and automated exploits appear within the first two half-life periods of a critical vulnerability, while at least 25 percent of infected machines are available.
Eschelbeck said that data he has examined is not tied to owners of systems and there is no way to break out government systems. But he suspects from experience that government systems share more similarities than differences in these areas with their private-sector counterparts.
The faster rate of patching for vulnerabilities on outward-facing machines is because those machines are the most exposed and get the first attention from administrators.
'It's a matter of priorities,' Eschelbeck said. 'It's also a question of scale,' because networks tend to have many more internal machines that external.
But the ability of worms to penetrate networks and spread inside means that patching of internal machines also needs to be aggressively addressed.
The apparent immortality of some vulnerabilities and worms is because many organizations use pre-defined software images for rolling out new servers. 'If you don't keep those images updated with new patches, you are re-introducing the vulnerabilities,' he said.
Because of the need to test and validate patches before rolling them out, there are limits to how much a vulnerability half-life can shrink. The keys to speeding the process as much as possible are automating where possible and prioritization, Eschelbeck said.
'It's all about priorities,' he said. 'You don't need to patch every vulnerability. Focus on the top 10.'
William Jackson is a Maryland-based freelance writer.