What is it?
A product vulnerability that the developers are unaware of.
Why is it important?
Zero-day vulnerabilities are important because there is the potential for them to be exploited before developers have a chance to patch the affected product. Once a zero-day vulnerability has been detected, companies often have very little time to correct the issue before the vulnerability is used to attack the product.
Why does a business professional need to know this?
Imagine that you have discovered a secret way to get into your office that no one else knows about and that allows you to enter without going through your normal security sign in. You always use the front door to go to work, because you don’t want people to know about the secret entrance. Now imagine it’s after hours, and you’ve forgotten something at work. Signing in at the front desk, badging in, getting your item, and signing out is too much of a hassle. So you decide to use that secret way to get into the office, get to your desk, and collect your forgotten item without ever disturbing the security guard.
This essentially is how a zero-day exploit works. It uses a vulnerability that is unknown to the owner to get into a product. Using a zero-day vulnerability, an attacker can gain access or take control of a system without the user ever knowing about it.
The product is vulnerable to exploit from the day the vulnerability is discovered -- the zero day -- until the owner creates and distributes a patch to fix the problem. Even after a patch has been created, the product will remain vulnerable until users apply the patch to their copies of the product. Therefore, it is important for users to apply patches as soon as they become available to minimize the amount of time their systems are exposed to the threat.
One proactive measure for software developers is to use threat modeling and other techniques to reduce the number and severity of as yet undiscovered zero-day vulnerabilities in the first place. One strong measure for security professionals is to conduct a vulnerability assessment and create an incident response plan and a business continuity plan for their company.
In 2016, zero-day vulnerabilities and exploits were in the news because a group that calls itself The Shadow Brokers released alleged US National Security Agency (NSA) zero-day exploits, including EternalBlue, which was used to create the WannaCry and Petya exploits(BBC 2017).
References
- (BBC 2017) ‘NSA malware’ released by Shadow Brokers hacker group: BBC News (2017).
- (Sheth 2017) ‘The ultimate cyberweapon for espionage’: The ‘Petya’ cyberattack is exploiting a powerful NSA tool: Sheth, Sonam (2017). Business Insider. Discusses the Petya cyberattack that exploited a powerful cyberweapon created by the US National Security Agency (NSA).
About James McQuiggan
James R. McQuiggan, Certified Information Systems Security Professional (CISSP), is a cybersecurity expert in the central Florida area who works as a product and solutions security officer for the Siemens Wind Service Americas company. James is the president of the (ISC)2 Central Florida, supporting cybersecurity professionals in education and training.
Term: Zero-day Vulnerability
Email: james@iphotographit.com
Twitter: @james_mcquiggan
LinkedIn: linkedin.com/in/jmcquiggan