IT exec: Apply patches on schedule, not demand

Organizations that update their software security patches on a regular schedule tend to apply patches faster than those that install them as needed, the chief technology officer at Qualys told hundreds of information technology industry representatives today.

Organizations that followed a predefined monthly process of patching on average install the upgrades 18 percent faster than organizations that implement them only when warned of vulnerabilities, said Gerhard Eschelbeck, who is also Qualys’ vice president of engineering.

This should be food for thought in the industry, where there’s a lot of discussion about whether it’s more secure to patch on a schedule or simply address vulnerabilities as they are revealed, Eschelbeck said during the Computer Security Institute’s 32nd Annual Computer Security Conference and Exhibition in Washington, D.C.

To reach its conclusion, Qualys performed a statistical analysis of 32 million vulnerability scans of 2,000 customers between 2002 and 2005, Eschelbeck said.

The company also found that organizations’ patching behavior mirrors the half-life of radioactive materials, Eschelbeck said.

Half-life is the scientific term for the time for 50 percent of a radioactive material to decay into a nonradioactive substance, such as uranium into lead.

Qualys found that the half-life of patching –- the time for 50 percent of companies to have patched a given vulnerability –- for systems connected to the Internet in 2005 was 19 days. For internal systems, the half-life was 48 days.

Comparatively, “19 days is pretty good” for externally facing systems, Eschelbeck said. The 48-day half-life is “obviously a significant window of exposure for organizations.”

Both figures, however, are improvements over 2004. Last year, the half-life was 21 days for external systems and 62 days for internal systems, Eschelbeck said.

A long half-life doesn’t necessarily mean an organization is unprotected, Eschelbeck noted. Organizations can use access-control lists and other technologies to temporarily protect their systems until a patch is installed, he said.

Eschelbeck said he would like to see the half-life of patching decrease an additional 20 percent in 2006, to 15 days for external systems and 38 days for internal systems.

He believes that is a reasonable goal, but any improvements beyond that start pushing the physical limits of organizations’ ability to patch quickly, he said.

To cut that additional 20 percent, organizations must know the Top 10 vulnerabilities they face and prioritize patching them, Eschelbeck said. That’s because the Top 10 weaknesses cause 90 percent of security problems, he said.

Organizations must also start enforcing security on their networks, Eschelbeck said. They must make sure that all devices they want to use are secure before they connect the items to the network.

This field, called network admissions management, will hit its stride in 2006, Eschelbeck said. This year, Cisco Systems released Network Admissions Control and Microsoft issued Network Access Protection, which enable customers to assess devices’ security and grant them access to networks based on it, he said.

“There’s a real need in the market for this kind of technology,” he said.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.