Managing zero day vulnerabilities

Mike Loginov at Systal warns that the response to your next zero-day starts today

 

Security experts will often talk about defending a business’s data and integrity as though it were a race against the inevitable. All too often, we see organisations caught out by issues that really can and should have been foreseen and dealt with before any significant impact.

 

Public-facing systems running old, unsupported, or poorly configured operating systems. Access credentials being shared through unprotected channels. Outdated networking hardware that nobody has noticed is still connected to office or enterprise infrastructure. Issues like these can all be ticking timebombs, just waiting for a malicious actor to notice them.

 

The rule, then, is to keep moving forward, in the knowledge that attackers are constantly evolving and increasing their levels of sophistication, by maintaining a continuous assessment and evolution of your defensive measures. It’s an important, valuable rule – but the truth is that, sometimes, the proximate cause of a breach is not down to the organisation’s own management, behaviour, or infrastructure.

 

The revelation in May that Barracuda, a major security vendor with over 200,000 business customers, has suffered a significant zero-day attack is just the latest example of this truth.

 

A zero-day vulnerability is in many ways the golden egg of the cyber-criminal community: the term describes a flaw which the software vendor is unaware of, which can be used to access systems and exfiltrate data with relatively little resistance. In the worst case (or, for the attacker, the best case) such vulnerabilities can be exploited for months or even years before the problem is identified and remedied.

 

As ever with zero-days, those customers down the chain from Barracuda should be deeply concerned about the news – especially given that the vulnerability directly impacts the vendor’s Email Security Gateway product, potentially calling into question an organisation’s wider risk profile.

 

However, does this really all mean that organisations have to just sit back and accept that the danger of a zero-day vulnerability might strike at any moment? Far from it: response preparedness, strategic security design, and employee support all have important roles to play in terms of mitigating the damage that a zero-day attack can do.

 

Knowing that, by definition, neither your business nor your security vendors can predict zero-day attacks underscores the necessity of knowing what to do when they do happen.

 

Organisational security teams should have clearly defined processes and platforms in place which specify responsible individuals as points of contact who will follow a methodology for isolating affected systems, conducting forensic analysis to understand the extent of the breach, and ultimately remediate the vulnerability, ideally in real time.

 

The midst of an attack is not the right time to decide who is doing what and find the right tools for the job, and so establishing the proper capabilities for a response, whether through in-house tools or through partnerships with third-party specialists, is an important part of the security baseline.

 

A modern, well-equipped security operations centre should be concerned with deepening its insight into holistic network traffic as well as hardening specific potential points of vulnerability. AI-informed analytics probes deployed at the edge of the public network can monitor and flag traffic flow to analysts, automating the first steps towards identifying a breach and ultimately neutralising damage faster.

 

A security team’s work will naturally be easier, and the organisation will recover faster, if the extent of the breach is as small as possible, and that is also more likely to be the case when businesses have multiple forms of defence in play.

 

In the context of business email compromise, that might mean supplementing security solutions which detect and block suspicious emails with email authentication protocols which verify that the sender of an email is who they say they are and more specialised tools for threats like phishing.

 

Likewise, businesses can think about identifying and protecting likely pathways that attackers may take when email is successfully compromised. Strong internal controls over financial transactions, for example, will stipulate multiple levels of internal approval, making it significantly harder for fund transfers to be executed without someone intervening.

 

Indeed, human wariness should not be overlooked as a resource when it comes to mitigating this kind of threat. Just as a large transaction is likely to raise a red flag if the right people witness it, user training can help everyone in an organisation become part of the solution by teaching them to identify issues early on and escalate them to the security team.

 

Thinking again about email compromise, phishing and social engineering are key vectors which everyone in a business needs an astute awareness of – especially given that the emails in question might well appear to be coming from within the organisation.

 

Finally, businesses should still control what is controllable. The lurking risk of zero-day vulnerabilities is not going anywhere – and, in fact, as digitalisation continues apace and IT, IoT, and OT infrastructure grows more extensive, we might expect to see them making headlines ever more often in the future.

 

That doesn’t mean, however, that the race against cyber-threats is already lost: there are other forms of threat evolving that can and should be kept ahead of by updating systems according to the latest information.

 

In fact, a well-maintained security posture remains one of the best defences even when the issue at hand is a zero-day attack. A zero-day vulnerability, while it might potentially lead to many kinds of damage and loss, is rarely a skeleton key for the whole IT infrastructure, and the more hardened other systems are, the harder attackers will find it to fully press their advantage.

 

With a real race, you can always tell at a glance who’s leading the pack and who’s lagging behind. Cyber-security, unfortunately, never offers such clarity. The lesson of events like the Barracuda zero-day vulnerability is that, even if we feel ahead of the curve, we still need to seek improvement and prepare for the inevitable attacks and likely breaches.

 

---

 

Mike Loginov is Executive VP at Systal

 

Main image courtesy of iStockPhoto.com