1. Articles
1.1. 2006
1.1.1. Black Hat
1.1.2. other comments
1.1.2.1. art
1.1.2.2. Yankee Group
1.1.2.2.1. what analysts do with the research
1.1.2.2.2. check out for formatting
1.2. 2009
1.2.1. Home
1.2.2. Laws 2.0
1.2.2.1. Dark Reading
1.2.2.2. lots of other, mostly the same style
2. document
2.1. source of this 2006 summary
2.2. local
3. Structure
3.1. EXECUTIVE SUMMARY
3.1.1. Understanding the behavior of vulnerabilities is essential to set effective security strategy and proactively implement security solutions
3.1.2. This paper describes The Laws of Vulnerabilities, which are six axioms about the behavior of vulnerabilities gleaned from a continuous long-term research project launched by Qualys in 2002.
3.2. DATA AND METHODOLOGY
3.2.1. Data was automatically and anonymously drawn from the largest collection of vulnerabilities in the world – the Qualys KnowledgeBase for QualysGuard. The KnowledgeBase contains signatures and identification statistics for more than 4,800 network vulnerabilities of varying severity within these categories:
3.2.2. lists them
3.2.3. Data for this analysis was derived from 40,631,913 IP scans with QualysGuard conducted globally during the period of 8 September 2002 and 31 January 2006.
3.2.4. There were 45,378,619 critical vulnerabilities identified by these scans. A critical vulnerability provides an attacker with the ability to gain full control of the system, and/or leakage of highly sensitive information.
3.2.5. A major new trend is the shift in critical vulnerabilities from server to client applications.
3.2.5.1. Earlier data in this analysis showed most vulnerabilities were in server applications such as web server, mail server, and operating system services.
3.2.5.2. Data now show more than 60 percent of new critical vulnerabilities are in client applications such as web browser, backup software, media players, antivirus, Flash and in other tools.
3.2.6. wireless only 1 in 20,000
3.2.6.1. The data analysis also debunked a popular myth that wireless networks are a significant security vulnerability for enterprise networks. According to the data in this study, just one in nearly 20,000 critical vulnerabilities is caused by a wireless device.
3.3. The Laws
3.3.1. Half-life
3.3.1.1. patching
3.3.1.2. Half-life is the duration of half a process. The term often connotes danger. Half-life plays a critical role in protecting people, such as with radioactivity, or calculating the impact of improperly using an old drug.
3.3.1.3. Half-life is equally important in understanding and preparing network defenses for malware and other vulnerabilities.
3.3.1.4. Our analysis for The Laws in 2003 found that half-life was 30 days, applicable mostly to external systems. Now the half-life for external systems has shrunk to 19 days. Half-life for internal systems is 48 days.
3.3.1.5. The meaning of these statistics is that for even the most dangerous vulnerabilities, it still takes organizations 19 days to patch half of vulnerable external systems.
3.3.1.6. Patching half of internal systems takes 48 days – more than 150 percent longer than for patching external IPs! Exposure of unpatched systems continues during the significantly long period of half-life dissipation.
3.3.1.7. a 2005 example given in graph
3.3.1.7.1. example is on incidents
3.3.2. Prevalence
3.3.2.1. Prevalence is the degree to which the vulnerability poses a significant threat.
3.3.2.1.1. right definition?
3.3.2.2. flu comparison
3.3.2.2.1. The ongoing global threats to people by dangerous viruses such as SARS or Avian Flu have significant prevalence until implementation of precautions reduces threats to a negligible level.
3.3.2.2.2. check economist
3.3.2.3. Half of critical vulnerabilities change every year.
3.3.2.4. more explanation given but they need a better measure
3.3.2.5. no interpretation given to what this means
3.3.3. Persistence
3.3.3.1. variant exploit appears – and forces an immediate restarting of the patching process. The risk of re-infection also can happen when we deploy new PCs and servers with images of faulty unpatched operating system and/or application software.
3.3.3.2. A dramatic demonstration of The Law of Persistence was the SNMP Writable vulnerability. Exploits of this vulnerability appeared in late 2002 and recurred with aggressive regularity for two years before subsiding in summer 2005.
3.3.4. Focus
3.3.4.1. Ten percent of critical vulnerabilities cause nearly all exposure.
3.3.4.1.1. The old 90 / 10 rule also applies to occurrence of critical vulnerabilities. The data in this study revealed that 90 percent of vulnerability exposure is caused by 10 percent of critical vulnerabilities.
3.3.4.2. use the graph
3.3.4.3. Long tail, power law
3.3.4.4. maybe recall a summary of the top two vulnerabilities
3.3.5. Exposure
3.3.5.1. time-to-exploit cycle is shrinking faster than the rediation cycle.
3.3.5.2. Early data in this research project noted that that 80% of critical vulnerability exploits were available within 60 days of their public announcements.
3.3.5.3. The updated axiom restates the idea behind the Law of Exposure as 80 percent of critical vulnerability exploits are available within the first half-life after their appearance.
3.3.5.4. The Zotob worm (CVE-2005-1983) is another recent example of quick exploitation. The worm is enabled by a stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1. It allows remote attackers to execute arbitrary code and local users to gain unauthorized administrator privileges. Microsoft announced the vulnerability on August 11, 2005. Microsoft said exploit code became available the next day.
3.3.6. Exploitation
3.3.6.1. Nearly all damage from automated attacks is during the first 15 days of outbreak.
3.3.6.2. The Law of Exploitation shows that severe damage from a vulnerability exploit is most likely to happen right after it appears. The most recent data show that initial period of severe damage is during the first 15 days of outbreak.