Best Practices Derived from Laws of Vulnerabilities Research Identifies Weekly Auditing of Critical Assets as Top Security Priority
InfoSec World Conference, Orlando, FL — March 23, 2004 — The Yankee Group today announced the development of Dynamic Best Practices in Vulnerability Management to help organizations better manage network resources to identify and eliminate security weaknesses in a timely manner. Implementing dynamically changing best practices in vulnerability management is the most effective, preventative measure security administrators can use to thwart automated attacks and preserve network security. The guidelines and metrics developed by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys. The Dynamic Best Practices in Vulnerability Management is a custom consulting report contracted by Qualys from the Yankee Group.
“Performing regular security audits is a vital step companies must take to keep up with the changing security landscape,” said Eric Ogren, Senior Analyst at the Yankee Group. “With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets.”
The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities. The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program. The Laws of Vulnerabilities are derived from the industry’s largest vulnerability dataset and reveal vulnerability half-life, prevalence, persistence, and exploitation trends. These trends were drawn from statistical analysis of vulnerabilities collected by more than three million scans during a two-year period.
Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:
- Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.
- Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.
- Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team’s performance to make sure the end result is risk reduction, especially to critical assets.
- Audit: Security officers should utilize the results of vulnerability scans to understand a corporation’s network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.
“Regulations such as HIPAA and Sarbanes-Oxley, coupled with recent threats from viruses like MyDoom, have required companies like Geisinger to adopt industry best practices that will ensure compliance and proactive network protection” said Jaime Chanaga, Chief Information Security Officer for the Geisinger Health System in Pennsylvania. “Yankee Group’s best practices underscore the importance of continuous vulnerability scanning in today’s changing threat environment.”
Yankee Group and Qualys are presenting these Best Practices in Vulnerability Management at a panel discussion at InfoSec World on Tuesday, March 23rd at 6:00 p.m. To access the entire research report, please visit the Qualys website at: http://www.qualys.com/yankee
About The Laws of Vulnerabilities
The Laws of Vulnerabilities are:
- Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity. In other words, for even the most dangerous vulnerabilities, it still takes organizations 30 days to patch half of their vulnerable systems, leaving the balance exposed for a significant period of time.
- Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis. The continuous discovery of the most dangerous and widespread vulnerabilities produces an ever-changing window of exposure to computers and networks.
- Persistence: The lifespan of some vulnerabilities is unlimited. Old risks recur partly due to new deployments of PCs and servers with faulty, unpatched software.
- Exploitation: 80% of vulnerability exploits are available within 60 days after the vulnerability release. Such rapid availability of exploits creates a significant exposure for organizations until they patch all vulnerable systems.
The Yankee Group
The Yankee Group is the global leader in communications & networking research and consulting. The company helps businesses understand the opportunities, risks and competitive pressures of developing, deploying and consuming products and services that drive communication or information exchange. Now in its fourth decade, the Yankee Group is based in Boston with offices throughout North America and Europe. http://www.yankeegroup.com
Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.
Pour toutes informations complémentaires, vous pouvez contacter :
Contact: Megan Lamb
Contact: Kim Vranas
The Yankee Group
For all other matters :