"Laws of Vulnerabilities" Research Shows Progress, But Reveals Two out of Three Systems Still Vulnerable to Potential Exploit

CSI Conference, Washington, DC — November 15, 2005 — Gerhard Eschelbeck, CTO and VP Engineering of Qualys™, Inc., the leading provider of on demand vulnerability management and policy compliance solutions, today unveiled his 2005 findings on “Laws of Vulnerabilities” research that shows new trends in network vulnerabilities. The research shows that while significant improvement was made during the last year in patching practices, still two out of three, or nearly 70 percent of systems, are currently vulnerable and in jeopardy of potential exploit or attack.

For more than three years, Eschelbeck has analyzed statistical vulnerability data to create the “Laws of Vulnerabilities,” which identifies network security trends and allows organizations to recognize evolving threats and compare their remediation efforts with the rest of the industry. This year, the “Laws of Vulnerabilities” was drawn from a statistical analysis of nearly 21 million critical vulnerabilities, collected from 32 million live network scans, the largest real-world data set of network vulnerabilities to date.

The data shows that organizations have improved patching processes on internal systems by 23 percent and on external systems by 10 percent. However, the time-to-exploit cycle from automated attacks continues to shrink dramatically. Today, 85 percent of damage from automated attacks occurs within the first fifteen days from the outbreak.

The research also shows that the threat to wireless systems today is statistically very small. Only one in nearly 20,000 critical vulnerabilities is caused by a wireless device. However, there has been a significant shift from server-side to client-side vulnerabilities. More than 60% of new critical vulnerabilities occur in client applications. Client-side vulnerabilities require a user to take action, such as visiting a malicious website or opening an infected email attachment.

“2005 has been the year of improvements for patching and updating vulnerable systems,” said Gerhard Eschelbeck, CTO and VP of Engineering for Qualys. “This is heavily driven by the fact that vendors like Microsoft and others are now are issuing regular advisories with patch updates, which ends up speeding the prioritization and remediation efforts within organizations.”

The full findings from the research can be found at www.qualys.com/laws. The summary is provided below:

1. Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. In the last year, the half-life of critical vulnerabilities for external systems has been reduced from 21 days to 19 days; and from 62 days to 48 days for internal systems. Vulnerabilities released on a predefined schedule show an 18 percent increase in patch response.
2. Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis.
3. Persistence: Four percent of critical vulnerabilities remain persistent and their lifespan is unlimited.
4. Focus: 90 percent of vulnerability exposure is caused by 10 percent of critical vulnerabilities.
5. Window of Exposure: The time-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of exploits are available within the first half-life period of critical vulnerabilities.
6. Exploitation: Automated attacks create 85 percent of their damage within the first fifteen days from the outbreak and have an unlimited life time.

“The Laws of Vulnerabilities research gives security managers and executives clear, statistical information that helps them make better informed decisions, “said Howard A. Schmidt, former cyber security advisor to the President. “With automated attacks creating 85 percent of their damage within the first fifteen days, it is even more critical that organizations act quickly to identify and remediate threats. The Laws helps organizations understand exactly how vulnerable their systems are and where priorities should be placed.”

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

For media inquiries or to find the appropriate spokesperson

Contact: Megan Lamb
Merritt Group
703-390-1535

Contact: Jonathan Bitle
Qualys, Inc.
650-801-6100

For all other matters

Contact: pr@qualys.com

Media Contacts:
Tami Casey
Qualys
(650) 801-6196
tcasey@qualys.com

Mariah Gauthier
HighwirePR
(415) 963 4174
qualys@highwirepr.com