According to an article in ITweek, Patrick Clawson, CEO of Patchlink, says “I’m calling bullshit on the whole zero day thing…” basically the problem he says is all the time before a patch or vuln is announced, that is when we are really vulnerable, once a vuln is announced enterprises are apparently no longer under any real threat. Alan over at Still Secure apparently agrees with him, come on Alan you’re smarter than that🙂
According to the article, Clawson “advised firms to train staff so that they do not fall victim to social engineering hacker attacks. “Social engineering is probably one of the most damaging elements in that one-year time frame,” said Clawson. He added that firms should lock down as many parts of the corporate network as possible: “You have to protect everything. Even your printers have enough memory to be used as a server for a porn site.”
I am calling BS on Patrick’s advice. First off training your staff to not fall victim to social engineering doesn’t work and never will – users are stupid, and you need to place as many controls in place to ensure they are not a vector for attack. Second locking down everything even your printers? It is difficult, if not impossible to implement lock-down in most large enterprises. Telecommuters, mobile users, little gadgets with mobile OS’s on them, contractors, business partners, heavy M&A activity, make lock-down an unrealistic solution for most organizations. As for the whole zero-days are BS thing, here is the response I posted on the still secure website…
A zero-day exploit takes advantage of a vulnerability on the day that it is publicly announced (sometimes before, but not as much as vendors with “we stop zero-day attacks” would lead the public to believe) When that happens it is difficult for organizations to respond quickly since they a. need to obtain updates for their security defenses (new sigs, reconfigurations, and what not) and b. need to obtain the patch (if one is available) and then distribute it to their environment. Even best of breed organizations with mature patch management programs can take weeks or even months to fully patch their environment – this is not due to technology but process and logistics.
I agree that there is a period prior to vulnerability identification or disclosure where malicious 3rd parties may find the vulnerable condition, write exploit code and then then use it as a vector for attack. The most common case is where a vuln is announced at the same time a patch is made available and within hours exploit code is in the wild and attempts are made to attack systems.
I am not sure what you and Patrick are calling BS? Are you actually saying that there is no threat to an organization the day that a vulnerability is released and there is exploit code available within hours? Are you suggesting that once a vuln is announced that a large enterprise just automagicallly patches its entire organization and is defended? What happens when a vuln is announced and no patch exists (can you say wmf or createtextstring?) and then exploit code shows up in the wild. So you guys are off base on this one, there is a real danger facing organizations in that delicate period between vuln and/or patch announcement, with exploit code actively being used to attack organizations and the scramble to defend themselves.
BTW – Rapid-patching as an initial response to a critical vulnerability, especially when exploit code is available in the wild, is a logistically difficult strategy for every organization I have ever spoken with. You absolutely must remove the root cause of a vuln, but the first step should be to shield the environment. That is use network and host-based security products (such as firewalls and IPS, perhaps update some NAC if you have that running) or other network infrastructure (such as routers) to prevent exploit of the vulnerability before you can patch everything. We have been advising organizations to do just that and will continue to do so…