"Zero-Day" Attacks a Growing Threat

"Zero-Day" Attacks a Growing ThreatEven the name, "Zero-day," sounds alarming. And it is. Zero-day attacks – cyber-attacks launched against undetected and unreported security vulnerabilities – are more common than security experts previously assumed. And they can continue a long time the vulnerability is found and patched by the good guys.

A study by security firm Symantec has found that the average zero-day attack lasts 312 days, or more than ten months. Some have persisted for up to two and a half years.

The implications are simple, and stark: By definition, the security community does not yet know about a zero-day attack. Therefore no protective measures have been taken about it. Promptly applying vendor patches won't protect against zero-day threats. Nor will antivirus or other security software.

And there is no cavalry coming to the rescue. As researchers Leyla Bilge and Tudor Dumitras say about their study results, "it seems that, as long as software will have bugs and the development of exploits for new vulnerabilities will be a profitable activity, we will be exposed to zero-day attacks."

For developers of zero-day threats, the black market is a sellers' market: They can charge up to $250,000 for a zero-day exploit. One such exploit, Conficker, infected some 370,000 machines in the two months before it was discovered.

And discovery of these threats doesn't put an end to them – instead, attacks increase after discovery, often dramatically, as copycats jump into the pool.

Which is a powerful reminder that the existence of unknown zero-day threats is no excuse for ignoring known threats, and taking such basic measures as applying patches promptly.

Nor are companies entirely helpless in the face of zero-day threats. These threats are due to yet-unknown flaws in commercial products. But you should not rely entirely on commercial products for your security in the first place. Best-practice security begins with taking responsibility, including recognizing that commercial products can be flawed.

The more robust your approach to security, the better the chance that even zero-day threats will fail to catch you off guard.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."