Research, Made Public Every Year, Identifies New Trends in Vulnerabilities, and Now Expands into Wireless
CSI Conference, Washington, DC — November 15, 2005 — Gerhard Eschelbeck, CTO and VP Engineering of Qualys™, Inc., the leading provider of on demand vulnerability management and policy compliance solutions, today unveiled his 2005 findings on “Laws of Vulnerabilities” research that shows new trends in network vulnerabilities. The research shows that while significant improvement was made during the last year in patching practices, still two out of three, or nearly 70 percent of systems, are currently vulnerable and in jeopardy of potential exploit or attack.
For more than three years, Eschelbeck has analyzed statistical vulnerability data to create the “Laws of Vulnerabilities,” which identifies network security trends and allows organizations to recognize evolving threats and compare their remediation efforts with the rest of the industry. This year, the “Laws of Vulnerabilities” was drawn from a statistical analysis of nearly 21 million critical vulnerabilities, collected from 32 million live network scans, the largest real-world data set of network vulnerabilities to date.
The data shows that organizations have improved patching processes on internal systems by 23 percent and on external systems by 10 percent. However, the time-to-exploit cycle from automated attacks continues to shrink dramatically. Today, 85 percent of damage from automated attacks occurs within the first fifteen days from the outbreak.
The research also shows that the threat to wireless systems today is statistically very small. Only one in nearly 20,000 critical vulnerabilities is caused by a wireless device. However, there has been a significant shift from server-side to client-side vulnerabilities. More than 60% of new critical vulnerabilities occur in client applications. Client-side vulnerabilities require a user to take action, such as visiting a malicious website or opening an infected email attachment.
“2005 has been the year of improvements for patching and updating vulnerable systems,” said Gerhard Eschelbeck, CTO and VP of Engineering for Qualys. “This is heavily driven by the fact that vendors like Microsoft and others are now are issuing regular advisories with patch updates, which ends up speeding the prioritization and remediation efforts within organizations.”
The full findings from the research can be found at www.qualys.com/laws. The summary is provided below:
“The Laws of Vulnerabilities research gives security managers and executives clear, statistical information that helps them make better informed decisions, “said Howard A. Schmidt, former cyber security advisor to the President. “With automated attacks creating 85 percent of their damage within the first fifteen days, it is even more critical that organizations act quickly to identify and remediate threats. The Laws helps organizations understand exactly how vulnerable their systems are and where priorities should be placed.”
With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.
Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.