A zero day is an unresolved vulnerability in software that puts end users at risk of being attacked by cyber criminals. Cyber criminals like to use these unsealed gateways to a corporate network to carry out their activities.
“Software almost always contains errors,” says Niels Teusink, IT Security Expert at Eye Security. “Because something has not yet been taken into account in the development of a feature, or sometimes even due to a simple typo.” Traditionally, a zero day was seen as a vulnerability that the software manufacturer was not yet aware of. But recently the term has also been used for vulnerabilities for which there is no solution yet. “With the global Kaseya attack, there was also talk of a zero-day attack, but the leak was already known to the organization there. In fact, they were busy building a fix for the vulnerability, only to be overtaken by the REvil attack just before they were ready.”
How does a zero day work?
You can see a zero day as a hatch in the wall of a software application that you use in your company network. You often use multiple applications, and they can all contain one or more hatches. For example, there can be a zero-day vulnerability in a browser, but also on a server, or in Windows. And not all hatches are open by default. Sometimes certain conditions must be met to open the hatch. “If there is a zero day in a browser, then the condition is, for example, that the user goes to a specific website, from where the attackers can put a piece of malicious software code on your system via the vulnerability,” explains Teusink. The hatch of that specific zero day only opens when the condition – visiting that specific website – is met.
Protect yourself - reduce the attack surface
To protect your company against this, it makes no sense to raise the walls around your applications, because you have no influence on how many zero-day hatches may be present in that wall. It is important to build up security in layers, says Teusink. “It should never be the case that one zero day can disrupt your entire business operations.” That is why it is important, for example, to keep the wall to the outside world (the internet) as small as possible. “We see that some companies have all kinds of servers and management interfaces connected to the internet. If you limit the number of components you connect to the internet, you reduce the attack surface.” In other words, you reduce the number of hatches in your business environment that are visible from the outside.
Protect yourself - detect deviant behaviour
The next layer is the detection of abnormal patterns on your company network. “When a zero day is abused, something always happens on your network that deviates from the normal pattern,” says Teusink. “Suppose there is an unknown or unresolved vulnerability in a browser, you visit a website and it is being abused on a zero-day basis, then the attacker can, for example, install a small program on your systems and maybe even a backdoor through which he can easily access it at another time. can go inside. If the zero-day hatch has been boarded up by the manufacturer, for example. A good detection system will immediately notice that a program is being written to the hard disk and that this is unusual when visiting a website. At that moment alarm bells go off and you can intervene.”
Protect yourself – install all updates
In a next step, good security software can also stop the things that happen on your company systems after the abuse of a zero day. “If a zero-day is used to deploy ransomware, security software can protect against it and mitigate the impact because the deployment can be stopped at an early stage.” Although you as an organization can never protect yourself 100 percent, you are certainly not powerless against cyber criminals. “Not every vulnerability is discovered by cybercriminals first. Software manufacturers themselves are always actively looking for it and will send you an update to fix errors in the code. That is why it is so important to always install updates. That way you close one or more hatches in your software wall every time.”
Eye can help you protect your company against these kinds of attacks. Knowing more? Visit this page to contact us.
Security Specialists from Eye Security have observed a rather large phishing campaign using a few interesting tactics that we would like to share.
At the 10th of May, our Security Operation Center got an alert about a blocked Powershell execution on an Exchange server at one of our new customers.
An antivirus programme alone will not protect your company against cybercrime. Read more
Sending a phishing email has a high chance of success, especially with new employees. Read our tips.