I have worked in networking and security for a long time, I architected a pretty sweet netware 3.x network at a large advertising firm in SF back in the late 80’s and have worked in software engineering on everything from anti-virus, to encryption to firewalls and IDS systems. For nearly a decade I focused on vulnerability assessment and management technologies and processes. I worked on Cybercop scanner (ballista) for NAI, led engineering at nCircle and cover vulnerability management as a primary analyst for Gartner. So let me set some things straight before the FUD gets out of hand…
I agree with much of what has been said, and I stated as much (even though I was called a detractor), what I am taking issue with and what I am calling FUD is…a. the insistence that once an organization knows about something it is no big deal and b. There is nothing anyone can do and you are all hosed.
I agree that zero-day is a term often misused by marketing folks, and I also agree that a real zero-day attack can be devastating, in fact my mantra on security has been “You cannot stop all bad things from happening, that is an unachievable goal – the goal of security is to limit the probability of a successful attack and when one does occur to limit its impact on the organization” but to not provide any advice beyond, security awareness training, and locking everything down is a little bit less than adequate.
If your organizations is attacked with a zero-day it can be devastating, but that doesn’t mean there is noting you can do. Here are a couple of points I think are important to note.
1. Zero-days are defined as attacks that occur within hours (24) of the vulnerability being announced, that is where you get the zero from, sometimes the term is used to refer to exploits against vulnerabilities that occur prior to the vulnerability being publicly announced or known by the vendor.
2. The time between when vulnerability is announced and when a patch is released has nothing to do with zero-day, even if an attack occurs during this period, unless all this happens within 24 hours.
3. 99% of all external attacks take advantage of known vulnerabilities, misconfigured and poorly administered systems (This statistic has been published by SANS, the FBI and Gartner )
4. There is a real threat that attacks can take advantage of unknown vulnerabilities, but this is not causing the same level of pain as number 3, most organizations are struggling to deal with #3.
5. There are technologies and processes organizations can use to combat zero-day or unknown attacks. They are;
– The definition of policy (IPs from this VLAN should not access that VLAN, systems in this segment should only communicate using certain protocols, no inbound RPC to this subnet, no outbound RPC to that subnet, no domain servers in this VLAN, etc…)
– Audit against the defined policy (for example using NBA type technologies)
– Enforcement of policy
Technologies that can assist (notice I said assist) organizations in detecting zero-day attacks…
– NBA (Network behavior analysis) to identify suspicious behavior indicative of an attack, a compromised system or violations of policy.
– SIEM or other application/database/IAM auditing and activity monitoring of operational controls to identify suspicious behavior or violations of policy (i.e. privilege account access, escalation of privilege, application access outside of defined hours)