How Dangerous are Zero-Day Vulnerabilities?
There’s a buzz in the vulnerability management market surrounding solutions to protect against Zero Day vulnerabilities – vulnerabilities that were previously unknown with no vendor patch available. While some may paint a picture of hoards of hackers looking to exploit undiscovered flaws, security teams must ask themselves: is focusing on Zero Day attacks really the best use of enterprise resources?
All Bark But No Bite
In reality, for all the noise about Zero Day vulnerabilities, most catastrophic breaches aren’t caused by Zero Days. Major breaches such as the Equifax and WannaCry attacks were actually caused by vulnerabilities that were known to security teams at the time of the attack.
For example, the Equifax breach started with attackers simply scanning the web for servers vulnerable to the Apache Struts vulnerability (CVE-2017-5638). They found a vulnerability in the Equifax dispute portal servers. Using queries from the dispute portal servers, the attackers gained access to 48 more databases. Through a ‘low and slow’ method of data exfiltration, the attack flourished while undetected for 76 days. Apache actually released the patch for this vulnerability on March 8, 2017 and it wasn’t until May 13, 2017 that the hackers returned to execute their plan. So if Equifax had patched the vulnerability anytime before May 13, 2017, this breach would not have occurred.
A similar story happened with WannaCry. The cryptoworm targeted Microsoft Windows operating systems leveraging an exploit called EternalBlue. Two months before the attack, on March 14, 2017, Microsoft released bulletin MS17-010 for EternalBlue along with patches for all supported Windows versions. However, when the attack occurred in May 2017, many Windows systems were left unpatched or were running unsupported operating systems such as Windows XP.
In both these cases, simply patching a known vulnerability would have prevented the theft of millions of personal records and significant financial losses. A solution monitoring for Zero Day vulnerabilities would not have helped in these cases.
Missing The Target
By focusing on Zero Day vulnerabilities, companies are not only missing the target, but also ignoring the reality that the vast majority of attacks use known vulnerabilities. Roger Grimes, a Cyber Defense Analyst, notes that, most Microsoft customers are exploited by vulnerabilities that had patches released years before.
As of April 2019, Zero Day Initiative reports 89 Zero Day vulnerabilities for 2019. Compared to the 2634 known vulnerabilities for 2019 to date, the Zero Day vulnerabilities represent just 3% of all vulnerabilities for the year-to-date. Focusing solely on Zero Days is being penny-wise and pound foolish. Patch management may not be as glamorous as the ‘cutting edge’ Zero Day monitoring solutions, but it’s the tried and tested best bang for your buck solution to protect your organization from attacks and breaches.
A flaw that is undiscovered doesn’t make it a bigger threat than known vulnerabilities. The cybersecurity industry has been focused on designing the most precise zero day prevention system. But while these platforms might be technically advanced, they’re ultimately neglecting the basics of proper cyber hygiene. As the Equifax breach shows, hackers are interested in finding organizations that have failed to patch known vulnerabilities. Hackers need to make the best use of their time and resources too, and trying to exploit known vulnerabilities is often a better use of their time than searching for undiscovered flaws.
The Real Danger
A good vulnerability management process will eliminate most of the risk an enterprise will face against attacks. Focusing on known vulnerabilities will have a much bigger impact in protecting the enterprise than worrying about Zero Day vulnerabilities. But identifying the threat from known vulnerabilities is just one aspect of a proper vulnerability management program. The next step is prioritizing and remediating them. Download our eBook, “Why Continuous Exposure Requires Continuous Remediation”, for a new approach to vulnerability management.