The origin story of Achilles begins with his mother, the Greek goddess Thetis, and how she attempted to protect him. Thetis went to the River Styx, which formed the boundary between Earth and the Underworld. It was said that the river could imbue a person with powers of invincibility. Wanting the best for her son, Thetis dipped her infant child into the River Styx so that he may grow up to be great and powerful. As a result, Achilles grew to be a great warrior who survived many battles due to his powers. However, unknown to Thetis and Achilles, he remained vulnerable at his heel, where Thetis held him while she dipped him into the river as a child, thus protecting him entirely except at his heel.
Similar to the vulnerability of Achilles’ heel, a zero-day vulnerability is a computer security vulnerability unknown by its creators. However, hackers who later discover the vulnerability can exploit it to attack a business, attack its computer systems, steal data or plant malicious code within the companies network.
Unlike known vulnerabilities that have been identified, patched, and publicized, unknown (or known but unpatched) vulnerabilities are called zero-day vulnerabilities. It means that the developers have “zero days” to fix the problem that has just been exposed and likely already exploited by hackers. They’re vulnerabilities that a malicious hacker or government agency could have discovered yet are not reported, or the developer knows about the vulnerabilities but hasn’t yet issued a patch.
Malicious hacking groups that discover the vulnerabilities keep them secret, so they can exploit them to steal data, infiltrate computer systems or spy on people and organizations without alerting anyone to the fact that they’ve unlocked a back door to their systems. Often, zero-day exploits are secretly sold to nefarious hacker groups on the darknet.
As with Achilles, the entire system can be hardened and considered invulnerable, but even the smallest unknown or unpatched vulnerability can be catastrophic.
How serious can it be?
Zero-day vulnerabilities can be disastrously serious. They’ve been used to exploit any number of systems, from sabotaging Iran’s uranium enrichment plants to affecting the credit ratings of hundreds of millions of people.
For instance, if you’re like me, then you’re one of the 143 million Americans who now have to regularly check your credit reports, learn how to set up a credit freeze, and keep an eagle eye out on your credit score all because of a zero-day vulnerability and Equifax’s failure to patch its servers.
Back in March 2017, Chinese cybersecurity researcher Nike Zheng discovered a vulnerability in the web application software Apache Struts. Zheng notified Apache about the defect and a way to fix it on March 6. However, by March 10, hackers scanning the internet for vulnerabilities had already found the Struts vulnerability on one of Equifax’s servers. Shortly after that, more hackers had gained entry into Equifax’s servers and installed back doors into its computer systems.
Meanwhile, hackers who had breached the system through May had stolen the personal information of more than 143 million Americans — including their addresses, birth dates, Social Security numbers, and more. Equifax hadn’t discovered the hackers who were already deeply embedded within its systems until the end of July. Equifax had to shut down its customer portal for nearly two weeks while security teams conducted a forensic analysis of what happened and found and sealed all the back doors. Overall, the breach cost Equifax more than $1.7 billion despite its $125 million in cybersecurity insurance coverage.
Why are patches not applied as soon as available?
Patches are difficult and risky to apply because they need to be tested for potential adverse effects on the rest of the system. As a rule, applying a patch requires full backups to be taken and an identical test computer system to be set up to test the patch to ensure its application will not adversely impact other systems and potentially cause a business disruption. The complexity is, in part, why patching systems take an average of four months — if they get patched at all.
Zero-day issues are more complicated to patch since they typically involve foundational aspects of an organization’s IT systems. Additionally, IT teams are already handling various system maintenance issues, new software releases, end-user support tickets, hardware and software upgrades, cloud migrations, and several other ongoing projects for the business.
What can be done?
IT organizations must establish specific processes to pay special attention to all security disclosures and announcements from all their vendors and the security organizations that provide security resources such as CVE and the NVD at NIST. All zero-day patches must be applied across all systems and given the highest priority above and beyond all other activities. These activities require specific processes to fast-track the quality assurance process for applying, testing, and rolling out of these issues that bypass the typical process for new software deployment while ensuring the overall health of the entire system is not compromised.
It might also be time to migrate some services to the cloud, as cloud services operated and managed by cloud service providers have dedicated staff on the front line of cybersecurity defenses. However, even with a dedicated team actively looking out for security issues, it will not prevent zero-day vulnerabilities. Still, it can help ensure the speedy application of patches as soon as they are available.
The Microsoft Exchange vulnerabilities of early 2021 are an excellent example of cloud-elevated security protection available with software as a service (SaaS). Organizations using Microsoft’s SaaS cloud-based Exchange server as a part of Office365 did not succumb to the exploit. Meanwhile, all other organizations with Exchange servers in their data centers or private clouds were vulnerable until they became aware of and applied the patches to their servers.
Whether you’re managing servers in your data center or leveraging a SaaS cloud, companies and organizations can no longer regard cybersecurity as an expensive nuisance but instead as an opportunity to be seen as the model company that looks out for its customers. This active security posture can put you miles ahead of the competition.
Authors: Brian Greenberg & Cameron Laghaeian