The Laws of Vulnerabilities presented at BlackHatAsia 2004

by Gerhard Eschelbeck,

Summary : New vulnerabilities to networks are discovered and published on a daily base. With each such announcement, the same questions arise. How significant is this vulnerability? How prevalent is this vulnerability? How easy is this vulnerability to exploit? Are any of my systems affected by this vulnerability? Due to lack of global vulnerability data, answers to these questions are often hard to find and risk rating is even more difficult.
As part of ongoing research, Gerhard Eschelbeck of Qualys, Inc. has been gathering statistical vulnerability information for more than two years. Those vulnerabilities have been identified in the real world across hundreds of thousands of systems and networks. This data is not identifiable to individual users or systems. However, it provides significant statistical data for research and analysis, which enabled Gerhard to define the Laws of Vulnerabilities.
The Laws of Vulnerabilities is derived from vulnerability data gathered during the past 30 months from over five million scans of individual systems from global organizations. During this timeframe a collective amount of more than three million vulnerabilities - reflecting multiple levels of severity and prevalence - has been identified. Furthermore, the responses to external events (i.e. availability of an exploit or worm taking advantage of a vulnerability) have been studied providing valuable lessons for attendees on how to protect networks and systems from evolving threats.