Zero day exudes a sense of dread.
… like something cataclysmic might happen on zero day. It even makes a nice subtitle for an action movie: Mission Impossible 8—Zero Day.
But in reality, the term is more like one of those signs at work that says “zero days since our last accident,” only it’s closer to “zero days since we’ve known about this security flaw in our software.”
In other words, zero day simply refers to the number of days that a vendor has known about a software bug (zero). A zero day vulnerability is a software bug that is susceptible to attack by a hacker.
A zero day attack (also known as a zero day exploit) occurs when a hacker uses an exploit code to take advantage of a zero day vulnerability before a software patch can be deployed to fix the problem.
Zero day vulnerabilities are found in all kinds of software, from the obscure to Microsoft Office. This means that you likely have software running in your business right now containing an as-of-yet-undiscovered zero day.
To improve security, small businesses must determine which attacks are most likely to occur and prioritize them accordingly. In this piece, we’ll explore whether you should be worried about zero day attacks, or if other vulnerabilities should be a higher priority.
How are zero day vulnerabilities discovered?
Zero day vulnerabilities are discovered by independent security researchers (i.e., ethical hackers), government researchers, and malicious hackers. Once identified, these software defects are handled in a few different ways.
Reported to the manufacturer
Security researchers report bugs to developers for recognition and financial incentives. Many large software vendors host bug bounty programs whereby a financial reward is offered in exchange for software bugs. Intel, for instance, pays up to $100,000 for critical hardware vulnerabilities. Organizations such as Hackerone and Bugcrowd provide services that connect companies with ethical hackers.
Screenshot of rewards for Google’s bug bounty program (Source)
Developed by or sold to gray-market vulnerability brokers
The gray market is, appropriately, a gray area. These private brokers buy exploits from hackers or develop them with their own in-house teams. They sell exploits to militaries, defense contractors, and businesses interested in corporate espionage. Additionally, some hackers straddle the fence by selling some exploits to bug bounty programs and some to gray-market buyers, depending on the bug and its associated software.
Sold on the dark web
Malicious hackers search far and wide for software vulnerabilities and, once identified, sell them directly to bad actors on the dark web. These underground sales often result in criminal schemes by the purchasers. However, dark web prices for zero day vulnerabilities have risen sharply in recent years as they have become increasingly rare in the wake of bug bounty programs that offer profit via legitimate means.
Retained by government entities
Governments value zero days for their surveillance, security, and espionage capabilities. Militaries and intelligence agencies around the world are also keenly interested in using these exploits to conduct cyberattacks and further their political interests.
The stockpiling of zero days by governments and other entities is controversial. Some feel that the disclosure of security flaws might result in attacks that would not otherwise occur if kept secret. Others argue that if one researcher can identify a zero day, so could another. And by keeping these vulnerabilities a secret, people, businesses, and governments are left vulnerable to espionage and cyberattacks.
Okay, so zero day attacks seem pretty bad. Should I be worried?
According to Gartner, 99 percent of exploits are based on vulnerabilities that have been known to security and IT professionals for at least one year—unlike zero days (full report available to Gartner clients).
In their recent report “Implement a Risk-Based Approach to Vulnerability Management” (available to Gartner clients), Gartner analysts Prateek Bhajanka and Craig Lawson say this about zero day vulnerabilities:
“Organizations often give more attention to the zero day vulnerabilities than they deserve when you look at the perception versus reality. Is it a risk to your organization? Of course it is, but zero days today are not leveraged threat actors to anywhere near the same extent that existing and known vulnerabilities are.”
To be sure, zero day attacks are real, and, when they occur, the results can be devastating. However, zero day attacks remain rare and businesses—particularly small businesses—should concentrate on known threats that are much more likely.
“To view this another way, this is like worrying about being attacked by a great white shark at the beach but not worrying about the drive to get there. Clearly, driving presents considerably more risk than the former.”
The metaphor holds up: In 2017, there were 37,133 traffic fatalities recorded in the United States while during the same period there were 53 shark attacks—none of them fatal. Zero days are the shark attacks of the IT world: In 2015, 54 new zero day vulnerabilities were identified while in the second quarter of 2015 alone, Kaspersky reported more than 30 million phishing attempts—and that was only on machines using its software.
“Still, if you are of a particular value to a target, zero days are indeed a reality for your organization, and you should engage in some detailed threat modeling to deeply understand the impact of a zero day.”
In other words, if your business is highly targeted by hackers who will go through the overwhelming difficulty of employing a zero day attack, rather than exploiting a known vulnerability, it might be worth adopting advanced threat modeling, along with the financial investment that comes with it.
Fortunately, most small businesses are not targeted by zero day attacks and should therefore consider the types of attacks for which they are most at risk and manage existing vulnerabilities in the most efficient ways possible.
For most small businesses, the most effective means of reducing network vulnerability is patch management.
Patch management prevents the vast majority of attacks
Software developers usually do their best to work out the bugs before releasing a product into the wild. But inevitably, bugs are found and vulnerabilities are identified. To address these issues, pieces of code, known as patches, are created to update the software.
Patch management, then, is the organized deployment of software patches. This process includes formally keeping track of patches that have and have not been applied. You can do this with specialized patch management software.
Small businesses must take patch management seriously to prevent that vast majority of attacks.
Prioritizing patch management is the easiest way to prevent malware infections and close gaps that result in cyberattacks and data breaches. In fact, the infamous 2017 Equifax data breach was the result of delayed patch installation.
Though maybe not the worst data breach judged strictly by the number of records exposed, the Equifax breach was perhaps the most damaging in history because of the type of data exposed.
The breach exposed social security numbers, birthdates, and other personal information of 144 million adults—or a little more than half the U.S. adult population. And it wasn’t some mysterious zero day threat; it was a vulnerability the company had known about for months and the breach was entirely preventable.
Why would anyone delay patching?
One reason for delayed patching is the fear that installing a patch might have a negative effect on the network. For example, 2018 began with the disclosure of Spectre and Meltdown, two separate hardware vulnerabilities found to affect nearly every computer processor made in the last 20 years.
As these were problems with the chips themselves, they couldn’t be fixed directly so manufacturers made patches that prevented systems from using affected areas of the processors. However, initial reports claimed systems slowdowns up to 45 percent, prompting some to consider delaying the patch and risking attack. Fortunately, later analyses showed patch slowdowns were nearly imperceptible for most users with significant delays encountered only in rare circumstances.
A less complicated reason that some people refuse to update software is because they have to reboot their machine. Doing so requires closing out of every application and losing all of their open browser tabs.
You really should automate software updates
Manual updating requires a lot of time and tedious research to get right. For this reason, small businesses should always set software to automatically update. And while I hear you grumbling about incessant update notices and how something changes every time your software is patched, putting it off is only delaying the inevitable and increases your chances of being victimized.
On a bright note, the advent of Software-as-a-service (SaaS) has automated, err, automatic patching. These cloud-based programs are updated on the manufacturer’s end with nothing for the end-user to worry about—so long as the vendor is proactive and timely with their patches. Furthermore, virtualization has made it easier to install and remove patches without needing access to physical devices.
How do I patch internet of things … things?
How do you update a smart light bulb or patch an intelligent coffee maker? Unfortunately, most people don’t, or can’t even if they’d like to. IoT devices communicate with networks using firmware that is often difficult or impossible to update, leaving them susceptible to a host of attacks.
The problem is only getting worse. A recent Symantec report showed that in 2017 alone, attacks on IoT devices increased by 600 percent. And in 2018—because if it isn’t one thing, it’s another—we’ve seen the sudden rise of cryptojacking whereby cybercriminals drain computing resources by access networks via insecure IoT devices and other means to mine for cryptocurrency.
To address these concerns, consider excluding unnecessary devices from your network . Those that you do use should be firewalled. Alternatively, you can design a specific network for smart refrigerators, video game systems, and other non-business devices to ensure they are isolated from sensitive data.
Other more traditional networked hardware, such as routers and printers, are also prone to attack and commonly require firmware updates.
For example, earlier this year, VPNFilter malware infected half a million consumer-grade routers around the world. Small businesses are inordinately affected by these types of attacks because they are more likely to use consumer-grade hardware.
However, these smaller companies should opt for business grade hardware that is typically:
- Built to last longer
- More feature-laden
- Security hardened
- Highly upgradeable
- Easier to patch
Buying a router or network switch off-the-shelf might be affordable and convenient, but small businesses should consider investing in higher-quality networking equipment.
More strategies for mitigating common vulnerabilities
Pay attention to permissions
Take care with permissions that you allow both for employee network access and applications. Employees should have access only to systems they require to do their jobs. Likewise, apps should be allowed to access only features that make sense. Your calculator app shouldn’t have access your contacts and location.
Use strong passwords
It’s been said a million times, but strong passwords are crucial for network security. In the wake of Kanye West’s 000000 password being exposed on live television, this is still an issue. Best practice is to use long phrases that are easy to remember but difficult for others to guess (e.g., Thewarof1812isover!). Multifactor authentication should be also be employed when available.
Protect against phishing schemes
Educate employees about—and be on guard for—phishing schemes. The schemes continue to evolve and have become highly targeted making them increasingly difficult to identify. Phishing schemes are still one of the most common sources of cyberattacks and data breaches.
Ultimately, zero days don’t mean the end of days
Though zero day attacks are a real threat, they are unlikely. Preventative measures will go a long way toward protecting your business from known and unknown threats.
So instead of zero days, small businesses should be more concerned with which patches need to be installed, whether their network is hosting a bunch of insecure devices, and whether their employees are falling for sketchy email ploys.