The Day After Zero-Day
Written by Dami Yusuph on 29/9/2017
You’ll doubtless have heard about zero-day attacks and know the impact they can have on your organisation, but what can you do to protect yourself against the unknown?
Zero day, zero securityWith so many different platforms, operating systems, frameworks, programming languages, applications and hardware, it’s (sadly) no surprise that good information security is frequently lacking. Bundle this with the rise of the Internet of Things, which seem to have somehow ignored security completely, and we have the basis for some serious issues. This scenario creates room for an attacker to exploit the vulnerabilities in computers and computing devices to their advantage by using zero-day exploits. A zero-day exploit, often written as 0-day, means that no prior information has been disclosed about the vulnerability being exploited. This can lead to a huge amount of damage being done in a very short timeframe and usually ends up in serious data breaches. Since a zero-day exploit translates to day zero of awareness, it usually culminates in a plethora of serious consequences which are, needless to say, unfavourable. Some of the effects of a serious 0-day-based hack can be disturbing, including
- Compromised data integrity – a grave situation for classified content
- A breach of privacy – leading to information leaks and theft of digital resources
- Erratic behaviour by devices and programmes – this is likely to be the effect of the ability to inject malicious code into your hardware and software
- Huge financial losses – lawsuits and regulatory fines will be coming your way, especially if you’re bound by PCI DSS requirements
A big exampleIf the above sounds serious, it’s because it is. All these things can (and have) happened to organisations affected by hacks that used 0-day exploits. In April 2016, the media reported on what became known as the "Panama Papers". What people don’t always remember is the cause of that data leak: a zero-day flaw in the popular Drupal CMS. This major leak involved 11.5 million files, 2.6 Terabytes of data, to be stolen. This is as a result of just one zero day!
Keeping protectedThough 0-days are undeniably bad situations for any organisation, institution or Government, there are few things that can be done to protect against such adversity. The core understanding here is to go back to basics. Remember that confidentiality, integrity and availability are the three key functions of security. They’re threatened by disclosure, change and deletion respectively. Therefore, we must be able to assess every security function based on whether or not it can be circumvented when compared to its motive for confidentiality, integrity, and availability.
Non-zero protectionBut it’s not all doom and gloom, as there are things organisations can do to protect themselves against this worst-case scenario. Building a robust security architecture, such as defence in-depth, is strongly recommended. Defence in-depth was conceived by the USA’s National Security Agency (NSA) and it’s how they protect their critical national infrastructure. It involves multiple, overlapping layers of protection, meaning a zero-day can be isolated and restricted to the zone of impact. This starts with a holistic risk assessment for your critical assets and processes, and is a good way to define the current security posture of your organisation. Next build a security framework based on dynamic threat analysis and regular vulnerability assessments. Defence-in-depth should evolve through consultation and critical investigation of the threat space, citing instances, possibilities and solutions for mitigating the impact of zero days. Strong defence must include all the stakeholders involved with our security, both internal and external. For instance, key considerations for defence in-depth should cover governance, people, processes as well as the technical aspects. It must then be augmented with regular log monitoring and periodic reviews for every components of an organisation’s security posture while identifying potential grey areas and proffering immediate remediation.
Get organised or get ownedWhat might come as a surprise to most organisations looking to implement a coherent security strategy is that there’s no defined methodology for reporting and documenting incidents, regardless of their magnitude and impact. Instead, what happens the day after the zero day depends on your readiness. By taking prudent security steps now, you can dramatically minimise or even negate the impact of a zero-day hack. Getting ready for the inevitable involves things like:
- Systematic backups of critical data, ideally stored in separate locations
- Forensic analysis of digital assets to maintain their integrity
- Enforcing a ‘least privileges’ policy for various types of users
- Applying updates and patches when available, including security patches as well as OS and application updates
- Making and maintaining a culture of effective risk management
- Constant reviews of documented security policies
- Using up-to-date anti-malware technologies
- Reliable hardware and software firewalls
- Removing unused software, applications, frameworks, etc
- A functional and skilled cyber security response team to detect zero days early and respond appropriately
Let someone else do the heavy lifting for you…If you don’t host your critical infrastructure in-house (and for many organisations, outsourcing to specialist cloud providers is the norm), then you need to do your homework on your infrastructure provider: make sure they’re security-focussed. Check their patching schemes, ask them about their anti-malware technology, and make sure they have a dedicated cybersecurity department. If they have an in-house Security Operation Centre, so much the better. If they don’t have some or all of these things, then chances are they (and so you) won’t survive a zero-day hack.
Don’t outsource responsibilityAs mentioned above, if you do engage with a specialist secure infrastructure provider, think that the responsibility for protecting yourself still lies with you. Make sure your provider is doing all they say they are, train your end-users in the cybersecurity basics and stay vigilant.
Be ready for the day after zero dayA zero-day exploit in the wild can be difficult to manage. But with proper planning both the risk of attack and the impact of a successful attack can be managed with minimal disruption to your business. What happens the day after the zero day is up to you – do you want a normal business day or a total business blackout? Either way, it’s what you do today that counts.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.