Zero-day vulnerabilities can seriously threaten all affected systems since there are no available fixes at the time of discovery (DepositPhotos)
Cybersecurity threats are rampant, and attackers are showing no signs of letting up. According to the 2018, Cyber Security Breaches Survey released last April, over forty percent of UK businesses fell victim to cyber attacks over the span of twelve months from 2017 to 2018.
Hackers can gain access to target devices through vulnerabilities that can be found across the many layers of a company’s IT infrastructure including software and applications.
Serious flaws in operating systems, for instance, could be exploited by attackers for them to take full control over compromised devices.
Some of these flaws may not even be known to developers. Known as zero-day vulnerabilities, these flaws can seriously threaten all affected systems since there are no available fixes at the time of discovery.
Even if these zero-day vulnerabilities become known, it can take some time for official fixes to be released by developers. According to Ponemon, zero-day vulnerabilities are the biggest threat to organizations with 64 percent reporting to be compromised through such flaws in the last 12 months.
The massive breach of credit reporting firm Equifax is often cited as an exemplary case of the threat of software vulnerabilities. The Strutshock flaw that was used in the attack was a zero-day vulnerability discovered in February 2017 and fixed in March 2017. However, the flaw remained allegedly unpatched in Equifax’s servers months after the fix was released, with the breach pegged to have occurred sometime in May 2017.
Hackers can take advantage of the lull between the discovery of the flaw and the application of the fix to attack. Companies can take an average of 100 to 120 days before applying patches to their systems. During this time, attackers can even automate the detection of vulnerable systems and write malware to exploit the flaw specifically.
Even devices with existing security systems can fall prey especially if users or administrators aren’t aware of the exploits or fail to apply stop-gap measures to prevent attacks. While not technically in its zero-day period during the Equifax breach, the event illustrates how slow reaction by companies to such vulnerabilities could lead to catastrophic results.
Businesses slow to act.
Once hackers have access to their target devices, they can steal data, implant malware, and even take over systems for use in other attacks. According to the same breaches survey, these attacks can cost organizations thousands of pounds a year in the form of stolen assets, downtime, and recovery efforts.
Despite this potential impact to their bottom line, businesses often find it challenging to act on these threats promptly. Many smaller operations are ill-equipped to manage their IT effectively. Even those with dedicated IT teams are only able to respond if they are made aware of the threats. For larger operations, infrastructure size and complexity can even increase the time needed to secure their systems fully.
“Companies, even small to medium sized ones, can have dozens or hundreds of endpoints in their networks,” says Robert Brown, Director of Services at Cloud Management Suite (CMS). “If an exploit is found, they have to make sure that all affected devices are properly patched. With limited resources, IT staff can take hours or days to apply fixes. This could give hackers enough time to successfully launch attacks.”
Developers and vendors of vulnerable systems often try to take prompt action but fixes often don’t come out overnight. For example, a zero-day flaw that affected various Windows operating system versions was revealed last August, but it took Microsoft two weeks to release the official fix. The flaw, which affected Windows’ task scheduler, can be used by attackers to gain system-level access to target devices, allowing them to install software, delete files, and execute programs remotely.
Inertia also an issue.
End users can also simply suffer from inertia. Users often overlook to update and upgrade their software even if it is considered one of the fundamental practices in IT security. Users tend to ignore update warnings and almost half of them are frustrated by the experience.
One only has to look at the market share of operating systems to see how resistant users are to change. Windows 7, which was released back in 2009, still accounts for over 40 percent of the market. Users chose to stick with the older version even when Microsoft offered free upgrades to Windows 10 to existing license holders. Microsoft already ended mainstream support for Windows 7 in 2015 though the developer will provide extended support until 2020.
Interestingly, 4.23 percent of desktops still run on Windows XP. Microsoft officially abandoned the defunct operating system in 2014. This continued use forced the company to release an emergency patch during the WannaCry ransomware outbreak of 2017. It was the same outbreak that crippled the National Health Service (NHS). The ransomware was able to infect some NHS computers that ran on the outdated Windows software.
What can be done?
Putting in place preventive measures such as anti-malware applications, firewalls, and automated updates should provide users and organizations with a level of protection. However, vigilance is key when it comes to vulnerability-based attacks. Zero-day flaws can be beyond the scope of protection provided by these measures.
Knowledge is critical. IT staff have to know about threats as they emerge so that they can perform the necessary steps to minimize risks. Sites and social media feeds of security portals like StaySafeOnline can provide timely information about emerging threats and trends.
Fixes must also be deployed with urgency. IT expert Bruce Schneier remarks that patching will continue to become a challenge since computers are becoming more embedded. He writes, “This gets us back to the two paradigms: getting it right the first time, and fixing things quickly when problems arise.”
Software developers should take responsibility for their products and services. These threats should compel them to put better engineering and quality assurance practices in place.
Fortunately, IT management and security solutions providers are also making strides to streamline software deployment. Services like CMS are even introducing mechanisms that allow administrators to use plain language instructions to run tasks such as software updates and patch deployment. These solutions could greatly enhance IT management especially since only a third of security professionals update their software automatically.
What remains essential is for all stakeholders to act in a timely manner in order to minimize the risk that these threats pose.