Eschelbeck’s New Laws of Vulnerabilities Contribute to SANS Top 20 Listing 2004 to be Published Friday, 8 October in London

On Friday, 8 October the annual SANS Top-20 listing is being published at an event taking place at the Department of Trade and Industry. The Top-20 listing is a unique initiative compiled every year as the result of systematic analysis of vulnerabilities conducted by security researchers at the leading independent institutions including: GCHQ, CSIA (Central Sponsor for Information Assurance), NISCC (National Infrastructure Security Co-ordination Centre) and SANS Institute as well as other world-class security experts.

Participating on the high-level panel session at this year’s event on Friday is Gerhard Eschelbeck, CTO of Qualys and author of the “Laws of Vulnerabilities”. Gerhard is one of the major contributors to this expert consensus which features new research recently completed by Gerhard as part of his most in-depth study of vulnerabilities and their behaviour patterns. This research is derived from a statistical analysis of nearly 4 million critical vulnerabilities over a two-and-a-half year period. It is clear that although some improvement has been made during the last year in protecting networks at the perimeter, systems within the corporate network are in even greater jeopardy of being attacked:

* Companies are taking 62 days to patch their internal systems – leaving internal systems such as internet browsers and mail servers way open to attack.

Qualys will also be issuing a free scan co-inciding with the publication of the SANS Top-20 listing enabling organisations to scan for those