Most companies remain vulnerable to remote data attacks
despite increased efforts to improve security patching
practices.
At this week’s Computer Security Institute conference in the US,
Qualys, a provider of managed security services, released a study
into the vulnerability and patch management practises of its
customers.
Based on 32 million vulnerability assessment scans within its
customer base, which include a large number of international
companies, Qualys’ research showed that on average, companies take
around 19 days to fix half of their internet-facing systems.
All these systems could face the risk of being exposed to
critical vulnerabilities and remote attack.
Last year the patching response rate was 21 days to protect 50%
of systems, compared with 30 days in 2003. But despite the gradual
improvements, companies clearly weren’t reacting fast enough, said
Qualys.
Qualys pointed out that almost 80% of exploits and attacks
targeting new vulnerabilities took place once a patch had been
issued, with most damage done within the first 15 days of an
exploit being revealed.
Companies therefore have to aim well below this timeframe to
protect their systems adequately .
Companies were even slower when it came to patching their
internal IT systems. Qualys found that it took firms an average 48
days to patch 50% of internal systems.
This is lower than the 62 days it took to patch half of internal
systems last year. But the propagation of new threats can now be
much quicker, so firms had to do much more to react more quickly,
said Qualys.