On Wed, 9 Jun 2004 Valdis.Kletnieks@vt.edu wrote:
A writeup on the OpenSSL holes, the Slapper worm, and when/why users patched their systems. 17 pages, PDF.
http://www.rtfm.com/upgrade.pdf
Lots of interesting conclusions about user behavior, which we probably need to consider when planning. Some non-trivial math/stats, but they explain what the results mean in plain English too, so feel free to skip over the formulas to the "this clearly shows..."..
I've been calling this the 40/40 rule. What's interesting is how consistant it remains, regardless of the timeline, exploit or publicity. About 40% of the vulnerable population patches before the exploit. About 40% of the vulnerable population patches after the exploit. The numbers vary a little e.g. 38% or 42%, but the speed or severity or publicity doesn't change them much. If it is six months before the exploit, about 40% will be patched (60% unpatched). If it is 2 weeks, about 40% will be patched (60% unpatched). Its a strange "invisible hand" effect, as the exploits show up sooner the people who were going to patch anyway patch sooner. The ones that don't, still don't. Businesses aren't that different from consumers. A business is like a super-cluster of PCs. Don't think of individual PCs, but of clusters of sysadmins. The difference is the patching occurs in clusters. Sysadmin clusters follow the same 40/40 rule. If you have 1,000 businesses each with 10-1,000 computers, within a sysadmin cluster it tends to be a binary patched/not patched for 99% of the computers in the same cluster. But across 1,000 clusters of PCs; things don't look that different. About 40% of the clusters are patched before the exploit, about 40% are patched after the exploit. Sometimes the cluster has 1,000 patched computers, sometimes the cluster has 10 patched computers, somtimes the cluster has 1,000 unpatched computers. Don't mistake size for better managed.
Both of these papers are somewhat flawed in that they focus on the mostly-broken idea that the admin/user would even know a patch if it came by and bit them on the posterior.....
The good news is after the exploit, thanks to the invisible hand about 80% of the patching behavior occurs without a lot of extra prompting. The bad news is regardless of what actions are taken, about 60% PCs/clusters will be vulnerable when an exploit is released regardless of how long the patch has been available.