A seasoned CISO explains why focusing too much on zero-days can distract from older vulnerabilities.
From intelligence reports and breaking news to vendor security alerts, cybersecurity and IT personnel are inundated with news about the latest zero-day warnings, alerts and alarms. While the response process is the same for any vulnerability, zero-day vulnerabilities tend to trigger a heightened sense of urgency within an organization, leading to tighter timelines, less testing, and a more aggressive stance that is usually based on fear, uncertainty and doubt.
In these cases, that hyper-focus on the zero-day tends to negatively impact or blunt an organization's response to vulnerability management in general.
Zero-day vulnerabilities have become commonplace, targeting major companies and applications that millions of users rely on every day. From Adobe to Microsoft, no vendor is safe from vulnerabilities in their software, and every organization that relies on software is a target. The frequency and potential consequences of a successful zero-day attack ensure that they often become the primary focus of cybersecurity professionals and IT personnel. But are we too focused on zero-day threats?
1. Balancing the threats and response
Take the recent ransomware outbreak WannaCry as an example. Although it's being treated as an exploitation of a zero-day vulnerability, it's actually a 60-day vulnerability; the patch was released in March 2017. WannaCry demonstrates that cybersecurity analysts and security managers must balance between the immediacy of zero-day exploitation and the risks associated with unresolved, known issues.
In psychology, a phenomenon called weapon focus is a behavior exhibited by a victim of a crime who focuses on the weapon used versus details about the assailant. This tunnel vision is innate to us as we focus on the most immediate threat to life. Many security managers also experience weapon focus when it comes to zero-day vulnerabilities; they perceive it to be the biggest immediate risk and redirect the majority (or all) resources and consequently ignore the plethora of old and open vulnerabilities and configuration issues across the enterprise. The reality is that an organization is more likely to be impacted by old unpatched vulnerabilities in Adobe, Java or Flash than they are a newly released zero-day remote code executable vulnerability in the Windows operating system.
When focusing on the newest zero-day, an organization may lose focus on correcting older and less publicized vulnerabilities, testing cycles may be accelerated such that not all business systems or processes are tested, and a patch that is intended to correct the issue may ultimately fail – or worse – cause a new one.
2. What to do
To combat the negative impacts of a zero-day -- not just the impact on your network and systems, but also your business, your processes and mission -- it's critical that organizations use a defined process to evaluate tolerable and acceptable risk of all vulnerabilities as they're discovered. Zero-day vulnerabilities should be assessed and acted on in accordance with the organization's process, just like any other vulnerability.
Lastly, a survey of essential and critical systems and networks across the enterprise would allow for a deeper level of introspective analysis and perspective. These data points, centrally aggregated and normalized, can then be processed using a consistent and repeatable mathematical model to avoid organizational data skewing and other outside influences. Using such a method would provide a quantitative answer -- far more reliable than the gut feeling that many rely on.
Organizations should continue to monitor and review media and intelligence reports for zero-day vulnerabilities, but they should assess them in accordance with existing processes, which should take into account active/passive defenses, asset and configuration management, and the risk acceptance and tolerance of senior leadership. The assessment process should be repeatable to demonstrate consistency, scalability and reliability in the results.
By following these tactics, every vulnerability will receive the attention it deserves, allowing analysts and executives to place the appropriate emphasis and resources behind each investigation and resolution, rather than rushing to address zero-day issues that may be less important than older, known vulnerabilities.
NEXT STORY: AT&T seeks tough standards for FirstNet opt-outs