[ISN] Wireless woes exaggerated, says study

InfoSec News isn at c4i.org
Thu Nov 17 02:26:00 EST 2005


http://www.techworld.com/security/news/index.cfm?NewsID=4801

By John E. Dunn
Techworld
16 November 2005

The number of wireless security vulnerabilities in the real world is
vanishingly small, research from Qualys has suggested.

That was the finding of latest annual Laws of Vulnerabilities report
written by Qualys CTO Gerhard Eschelbeck.

Despite worries about wireless security, only one in 20,000 of the
vulnerabilities uncovered by scans of the company's customer base
related to wireless systems. The figure can be considered significant
because it was drawn from analysis of 32 million live networks scans
and 21 million uncovered instances of vulnerabilities.

The research also showed (PDF) [1] that external network patching
"half-life" has improved from last year's figure of 21 days to this
year's 19 days. The half-life is defined at the time it takes
company's to patch at least 50 percent of their systems, thus reducing
exposure to security threats.

Internal network patching has also come down from 62 days to 48 days
during the same period. In total, 90 percent of such exposure is
caused by only 10 percent of the critical holes.

On a less positive note, the time it takes for exploits to appear for
vulnerabilities is also shrinking. Fully 80 percent of the most
dangerous holes are exploited within the current half-life period. The
overwhelming majority of automated attacks do their damage in the
first 15 days.

"2005 has been the year of improvements for patching and updating
vulnerable systems. This is heavily driven by the fact that vendors
like Microsoft and others are now are issuing regular advisories with
patch updates, which ends up speeding the prioritisation and
remediation efforts within organizations," said Eschelbeck.

As with last year, Microsoft dominates the top ten critical
vulnerabilities, both for internal and external networks. Not
surprisingly given the company's desktop dominance, the report detects
a marked move towards security holes affecting clients rather than
servers, with the former accounting for 60 percent of new
vulnerabilities uncovered.

[1] http://www.qualys.com/docs/laws_of_vulnerabilities.pdf





More information about the ISN mailing list