Want to keep more attacks against your organization - including those involving malware - from succeeding? Then refer to the half-life of vulnerabilities, a concept cooked up by cloud security and compliance services firm Qualys. It refers to the amount of time it takes half of systems that are affected by a vulnerability to get patched against that flaw, explains Wolfgang Kandek, the company's chief technology officer.
"Eliminate vulnerabilities faster, so that you have less problems with exploits, less probabilities of data breaches," Kandek says in an interview with Information Security Media Group. "I tell everybody, if you can go to a faster update cycle, it will eliminate over 80 percent of the attacks; [they] will not work anymore against your platform."
The impetus for this type of measurement is simple: Online attackers typically target vulnerabilities, either directly or via malware, to compromise targets, Kandek says. For example, crimeware toolkits - which can automatically package and distribute vast quantities of malware - often get updated with exploits for the latest Flash and Adobe Java browser plug-ins just hours or days after information about the vulnerability goes public.
But some industries are better than others at speedily addressing vulnerabilities, Qualys says. While the average half-life for a vulnerability in all sectors is 30 days, vulnerabilities in the service industry have an average half-life of 21 days, followed by 23 days for finance and 24 days for retail, the company estimates. But the manufacturing sector ranks last, at 51 days.
In this interview (audio link below photo), Kandek also discusses:
- The need for more vendors to more quickly update - and whenever possible automatically update - their software;
- How Google is reshaping vulnerability repair timelines;
- How a common update mechanism across various software platforms could be a boon for businesses - and why Microsoft does not want that job.
Kandek is the chief technology officer at Qualys. During his 13-year tenure there, he has also served as its vice president of engineering, vice president of operations and director of network operations. Before that, he held positions at such businesses as MyPlay, iSyndicate, and IBM.