Cyber attackers are working much faster to exploit application code vulnerabilties and IT security is being overwhelmed, according to a study of vulnerabilities on 80 million IP addresses.
Eighty per cent of vulnerability exploits are available less than 10 days after the vulnerability's public release, said Wolfgang Kandek, CTO at IT risk assessment firm Qualys.
There has been little improvement in organisations' ability to deal with vulnerabilities in the past five years, according to a Qualys report released at Infosec Europe 2009 in London.
It is still taking most organisations around 30 days to patch or fix vulnerabilities and 40% are taking longer or are not being fixed at all, said Kandek.
This 40% is mainly known vulnerabilities in Microsoft Office, Windows 2003 SP2, Sun Java and Adobe Acrobat, which shows most organisations are not up to speed with patching, he said.
Only highly regulated sectors such as finance scored better than the average taking only around 21 days to fix vulnerabilities compared with unregulated sectors like manufacturing, which takes around 51 days, the report said.
Although the necessary security tools exist, many organisations are losing the battle against cybercriminals, which means something needs to change, said Kandek.
Cloud-based computing could be the answer, he said, because service providers have a vested interest in aggressive patching as well as having the human and financial resources to do it.
End-user organisations will be able to take advantage of the economies-of-scale that enable service providers to share the cost of top level security across their customers, he said.