July 13 2004
"...As the window shrinks between the discovery of vulnerabilities and the exploits that follow them, security patching -- once an obscure and neglected chore -- is beginning to take on a more urgent role in some corners of the business world, say analysts and IT managers. Leading the way are organizations with mission-critical technology -- chiefly finance agencies -- who've managed to reduce critical security patch times from weeks to just days. "In some cases, it took 200 days to roll out a patch across 36,000 machines," says Rober Garique, VP and CISO of the Bank of Montreal. "Now we can do that in less than a week."...That tempo, the time between vulnerability discovery and exploit, has compressed 90% during the past three years -- the average being 11 days between discovery and exploit (well below the 23 days most enterprises need to patch), according to a June META research paper. "We're really close to the day where we have no time to test and patch before exploits happen," says Corby. Symantec's Friedrichs believes that skilled hackers are already sitting on exploit code for unknown vulnerabilities, keeping the information close to the vest so only they can use it. And he predicts that it's only a matter of time before a Blaster-level worm exploits a heretofore unknown vulnerability. In this way, patching will always be reactive. So layered protection is still the best, starting with policy-based, centrally-managed desktop firewalls and anti-virus, say experts..."
Companies adapt to a Zero Day world
No replies to this topic