North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: AV/FW Adoption Sudies

  • From: Sean Donelan
  • Date: Wed Jun 09 18:50:11 2004

On Wed, 9 Jun 2004 [email protected] wrote:
> A writeup on the OpenSSL holes, the Slapper worm, and when/why users
> patched their systems.  17 pages, PDF.
>
> http://www.rtfm.com/upgrade.pdf
>
> Lots of interesting conclusions about user behavior, which we probably
> need to consider when planning.  Some non-trivial math/stats, but they
> explain what the results mean in plain English too, so feel free to
> skip over the formulas to the "this clearly shows..."..

I've been calling this the 40/40 rule.

What's interesting is how consistant it remains, regardless of the
timeline, exploit or publicity.

About 40% of the vulnerable population patches before the exploit.

About 40% of the vulnerable population patches after the exploit.

The numbers vary a little e.g. 38% or 42%, but the speed or severity or
publicity doesn't change them much.  If it is six months before the
exploit, about 40% will be patched (60% unpatched).  If it is 2 weeks,
about 40% will be patched (60% unpatched).  Its a strange "invisible hand"
effect, as the exploits show up sooner the people who were going to patch
anyway patch sooner.  The ones that don't, still don't.

Businesses aren't that different from consumers.

A business is like a super-cluster of PCs.  Don't think of individual PCs,
but of clusters of sysadmins. The difference is the patching occurs in
clusters. Sysadmin clusters follow the same 40/40 rule.  If you have 1,000
businesses each with 10-1,000 computers, within a sysadmin cluster it
tends to be a binary patched/not patched for 99% of the computers in the
same cluster.  But across 1,000 clusters of PCs; things don't look that
different.  About 40% of the clusters are patched before the exploit,
about 40% are patched after the exploit.  Sometimes the cluster has 1,000
patched computers, sometimes the cluster has 10 patched computers,
somtimes the cluster has 1,000 unpatched computers.  Don't mistake size
for better managed.

> Both of these papers are somewhat flawed in that they focus on the
> mostly-broken idea that the admin/user would even know a patch if it came by
> and bit them on the posterior.....

The good news is after the exploit, thanks to the invisible hand about 80%
of the patching behavior occurs without a lot of extra prompting.  The bad
news is regardless of what actions are taken, about 60% PCs/clusters will
be vulnerable when an exploit is released regardless of how long the patch
has been available.