Improved patching still failing to deliver adequate security

Most companies remain vulnerable to remote data attacks despite increased efforts to improve security patching practices.

Most companies remain vulnerable to remote data attacks despite increased efforts to improve security patching...


At this week’s Computer Security Institute conference in the US, Qualys, a provider of managed security services, released a study into the vulnerability and patch management practises of its customers.

Based on 32 million vulnerability assessment scans within its customer base, which include a large number of international companies, Qualys’ research showed that on average, companies take around 19 days to fix half of their internet-facing systems.

All these systems could face the risk of being exposed to critical vulnerabilities and remote attack.

Last year the patching response rate was 21 days to protect 50% of systems, compared with 30 days in 2003. But despite the gradual improvements, companies clearly weren’t reacting fast enough, said Qualys.

Qualys pointed out that almost 80% of exploits and attacks targeting new vulnerabilities took place once a patch had been issued, with most damage done within the first 15 days of an exploit being revealed.

Companies therefore have to aim well below this timeframe to protect their systems adequately .

Companies were even slower when it came to patching their internal IT systems. Qualys found that it took firms an average 48 days to patch 50% of internal systems.

This is lower than the 62 days it took to patch half of internal systems last year. But the propagation of new threats can now be much quicker, so firms had to do much more to react more quickly, said Qualys.



Enjoy the benefits of CW+ membership, learn more and join.

Read more



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: