Cyber attackers are working much faster to exploit
application code vulnerabilties and IT security is being
overwhelmed, according to a study of vulnerabilities on 80 million
IP addresses.
Eighty per cent of vulnerability exploits are available less
than 10 days after the vulnerability's public release, said
Wolfgang Kandek, CTO at IT risk assessment firm Qualys.
There has been little improvement in organisations' ability to
deal with vulnerabilities in the past five years, according to a
Qualys report released at
Infosec Europe 2009 in London.
It is still taking most organisations around 30 days to patch or
fix vulnerabilities and 40% are taking longer or are not being
fixed at all, said Kandek.
This 40% is mainly known vulnerabilities in Microsoft Office,
Windows 2003 SP2, Sun Java and Adobe Acrobat, which shows most
organisations are not up to speed with patching, he said.
Only highly regulated sectors such as finance scored better than
the average taking only around 21 days to fix vulnerabilities
compared with unregulated sectors like manufacturing, which takes
around 51 days, the report said.
Although the necessary security tools exist, many organisations
are losing the battle against cybercriminals, which means something
needs to change, said Kandek.
Cloud-based computing could be the answer, he said, because
service providers have a vested interest in aggressive patching as
well as having the human and financial resources to do it.
End-user organisations will be able to take advantage of the
economies-of-scale that enable service providers to share the cost
of top level security across their customers, he said.
Read more stories from Infosec 2009 >>