Firms take 62 days to patch internal vulnerabilities

Companies are taking a typical 62 days to patch critical internal vulnerabilities and are still struggling to protect systems...

Companies are taking a typical 62 days to patch critical internal vulnerabilities and are still struggling to protect systems against external attacks.

That is according to Qualys chief technology officer Gerhard Eschelbeck addressing the Black Hat conference in Las Vegas.

He said the typical "half life" for critical internal vulnerabilities was 62 days, about 22 days more than the 40 days he suggested companies should now be aiming for.

Eschelbeck said the time it took companies to patch against critical external vulnerabilities had improved in the last year from an average of 30 days to today’s figure of 21 days, about the level of decrease experts predicted.

However, some of this gain is cancelled out by the more rapid deployment of vulnerabilities.

The information was culled from 6.6 million anonymous real-world scans undertaken by the company since January 2002, 70% of which were carried out on Qualys customers with the remaining being random trials by visitors to its website.

A total of 2,275 vulnerabilities classed as critical were detected, defined as those which would allow intruders to take control of systems or result in information loss.

Not surprisingly given its market dominance, the top 10 critical internal vulnerabilities named in Eschelbeck’s presentation all related to Microsoft software. The equivalent list of critical external vulnerabilities ranged across systems, but again problems with Microsoft products featured prominently.

“Vulnerabilities to web browsers, datacentres, mail servers and other internal systems show up consistently in our top list of the most critical vulnerabilities. In most cases, worms are circulating faster than systems being patched inside the network, and organisations have to be more aggressive about protecting their internal systems.“

His advice was to assess which vulnerabilities were the most important. “Organisations don’t need to catch every vulnerability. They need to catch those which will affect them the most.”

John E Dunn writes for Techworld

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.