21 Days = Average Critical Vunerability Half Life
I hadn’t stopped by the SDForum Security SIG in a while. A few notes from last Thursday’s meeting in Palo Alto:
Gerhard Eschelbeck, CTO at network security company Qualsys, gave a presentation on his analysis of aggregated vunerability data. Their company provides network vunerability scanning and monitoring services, and the 2004 data set used in his study includes over 14 million IP scans, both within corporate firewalls and on the public network. They turned up over 3 million exposed critical vunerabilities, or just over 20% of the scanned systems.
He’s publishing a monthly list of the top 10 internal and external vunerabilities, along with his report on the Laws of Vunerability.
In aggregate, exposure to new vunerabilities decreases exponentially, i.e. with a half life, as patches are deployed or services are disabled. The average half-life in 2004 was 21 days for a critical exploit, meaning that after 21 days, half the vunerable systems had been patched. The time between announcement of a vunerability and the onset of new exploits is coming down faster than the vunerability half-life. As an example, the Zotob patch was released on August 9th, and by the 12th the exploit was propagating in the wild (but the corresponding half life has also been quite short).
The well-known Microsoft patch release schedule, intended to help customers in the IT resource planning, has also become the production schedule for exploit writers, who set up shop with parallel systems, one with and one without the new patches, and rush their code into “production” as soon as possible to hit the vunerability window. IT managers are increasingly faced with bad choices between living with a known vunerability for longer, or rushing into production with an untested patch that may break other systems.
Gerhard’s laws of vunerability:
- 1. Half-Life - The half-life of critical vulnerabilities is 21 days on external systems and 62 days on internal systems, and doubles with lowering degrees of severity
- 2. Prevalence -50% of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis
-
3. Persistence - The lifespan of some vulnerabilities and worms is unlimited
-
4. Exploitation - The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80% of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities
Before Gerhard’s talk, Ira Victor also presented some notes from DefCon:
- Going mainstream - half non-tech hackers, people use real names instead of handles
- Physical security getting a lot of attention - QuikSet and Master locks often cited as example of nearly useless locks. Medeco locks were considered good, hard to pick.
- Hotel safes are often similar to kryptonite locks, cylindrical pen hack frequently works.
- ATM vunerability talk by former NSA guy - old atm machines available on ebay -buy it now price = $200, leave atm machine somewhere and acquire card data and pins, then collect the machine and use the data. Defense - look for machines that are built in to a real bank building etc vs transportable ATMs.
- IR hacking - hotel - billing, television, minibar, etc, all hotel traffic appears on the IR link, lots of discussion on Slashdot
Other miscellaneous stuff:
Adobe PDF reader update to 7.0.3 addresses a new critical exploit. New attack vectors appearing through content, rather than direct code. Historically content has been viewed as innocuous, with corresponding user behaviors.
Ira likes Kaspersky or Nod32; says that Symantec and McAfee don’t pick up as many malware packages.
Nod32 on desktop, has low cpu load vs other packages, recently hired many kaspersky staffers. Likes diversity in security vendors across network layers. Ira likes to put kaspersky on server side. Symantec Antivirus, Corporate Edition has local privilege escalation vunerability in past few days.
