I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on - my normal topics - and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security.
The discussion focused around this question - what percentage of malware infections happen due to:
- Vulns without patches available ? (aka new vulns)
- Vulns with patches available, but not applied (unpatched vulns)?
- Some other vector - mis-configuration, social engineering, etc ?
Anecdotally - let me emphasize that - anecdotally, in our discussion we thought the breakdown was something like this:
- new vulns - less than 10%
- vulns with patches not applied - 20-30%
- other vector (misconfiguration, social engineering, etc) - 60-70%
Zone-h.com posted spreadsheets of data on Web Server penetrations which they tracked from 2002 to 2004 and their breakdown for 2004 was: new vulns 19%, unpatched vulns 26%, and 55% for the combination of configuration mistakes, brute force attacks and social engineering.
Let me encourage you to use your own numbers if you don't think that breakdown is right, as I don't think it detracts from the discussion at all. Let's look at this graphically using the zone-h numbers:
So now, let's think about what this means in terms of product vulnerabilities and products. The bottom two bars are vulnerability, or software quality, related. So, when I try to measure vendor progress on security quality or count vulnerabilities, success along those lines only affect the bottom two bars. The remainder of managing security risk (55%) depends on other factors completely.
How would affect things if you could have a product with perfect security quality, or in other words, no expectation of exposure due to a vulnerability? If a vendor builds a perfect product, not likely in the near future, then we can eliminate both vulnerability vectors for malware. 
But, even without perfect products, look how much of the malware problem can not be eliminated by improving security quality or reducing vulnerabilities.
This really emphasizes how important other security disciplines are to the goal of protecting computers from malware. Security management and efforts to make users slightly more clueful jump out as to efforts that could have large impact on operational security.
So, while the importance of these disciplines is by no means a new insight, going through this exercise really puts into things into perspective (for me) with respect to practical security progress in the enterprise.
In the meantime, we should all encourage vendors to work towards those perfect software products to reduce the other two sections as well.
