Slow Response Leaves Mobile Users Most Vulnerable to Security Threats
Tuesday, 21 November 2006
Trusted Strategies and Shavlik Technologies have released findings of a new study aimed at identifying how companies assess, remediate and manage vulnerabilities, and where security policies break down or are under supported by current solutions.
The e-mail survey drew responses from more than 150 US-based IT security professionals, and points to a lack of automated solutions to support security configuration management at the edge of the network as an ongoing and critical flaw in vulnerability management offerings. Trusted Strategies is an information security industry consulting and market intelligence firm; Shavlik is a leader in security configuration and policy management software.
According to the survey, half of respondents (49.6 percent) said that it takes more than six days to patch critical vulnerabilities on laptop computers. This despite the fact that nearly two-thirds (60.4 percent) of respondents listed mobile laptops as the greatest threat to maintaining a secure posture. Conversely, nearly 80 percent (77.4) of critical server vulnerabilities and 70 percent (67.9) of critical desktop vulnerabilities are patched within six days of discovery.
The survey data suggests that this discrepancy may be explained as a lack of automated assessment, remediation and management tools at the edge of the network (especially on mobile devices). While over 90 percent of respondents believe it is “important” or “very important” to fully automate all of the patch and vulnerability management lifecycle, one in three respondents report that they have only automated “some” or “none” of the patch/vulnerability lifecycle on mobile desktops.
“Over the last six to 12 months, zero-day exploits have risen significantly as hackers grow smarter, better organized, and more financially motivated,” said Mark Shavlik, CEO of Shavlik Technologies. “And once a vendor releases its patch, the timeframe to deploy the patch across the network must be extremely short as knowledge of how to exploit the vulnerability rises exponentially once a patch is published. Best practices therefore dictate available patches be deployed within 36 hours or less, to every machine on the network, especially to those distributed and mobile end points that are most vulnerable.”
The survey findings also seem to support the belief within the security market that while Microsoft Windows Vista will improve security, it will not completely address customers’ patch and vulnerability lifecycle management needs. Only 30 percent of respondent expect Vista to solve “all” or “most” of those requirements, and nearly another 30 percent “don’t know” how Vista will impact patch and vulnerability management.
“Contrary to speculation by the media and other observers, the survey data suggest that the release of Vista later this month will not signal the death knell of third-party security solution providers,” said Bill Bosen, a Partner at Trusted Strategies. “While respondents recognize there will be security benefits with Vista adoption, they see value in an integrated vulnerability management solution that augments Microsoft’s security improvements.”