What Does a Zero-day Vulnerability Mean and How to Stay Protected? 

In December, while many gathered around a fire, hot drink in hand, and celebrated the holidays with family, security teams were tasked with patching and mitigating the risks that came along with a Log4j vulnerability. The early Christmas present involved a zero-day vulnerability that impacted systems using Log4j, a widely utilized open-sourced tool used across several applications, websites, products, and services. While this is undoubtedly one of the most significant zero-day vulnerabilities in recent years, it’s not the first and won’t be the last.

In fact, the United States Cybersecurity and Infrastructure Security Agency (CISA) recently announced the expansion of its Known Exploited Vulnerabilities Catalog to include nine new vulnerabilities this month. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risks. In conjunction with this expansion, CISA urges all organizations to reduce exposure by prioritizing timely remediation of the identified vulnerabilities as part of their ongoing vulnerability management practice.

It’s Been Zero Days Since…

Cyber attackers frequently target organizations that have vulnerable systems. Zero-day vulnerabilities are particularly precarious as they involve flaws in the software, hardware, and firmware that are unknown or have not been patched to mitigate the risk. But what does “zero-day” vulnerability mean? The term itself “zero-day” reflects the amount of time that the parties responsible for remediation have known about the exposure. If attackers can identify the vulnerability before the manufacturer, they may exploit it to gain access to an organization’s network.

Many cyberattacks originate from zero-day vulnerabilities, as they can become a race between threat actors attempting to exploit the flaw and manufacturers releasing a patch or users applying mitigating techniques. This window of time between the discovery and implementation of a patch is known as the “window of exposure,” as long as that window is open, the opportunity exists for potential risk to your organization.

The likelihood of a cyberattack and potential impact increases exponentially when organizations do not have a plan in place for incident response and remediation. If you don’t stay on top of vulnerability management, it becomes more challenging to protect your network and leaves your organization open to threats. Unfortunately, with many zero-day vulnerabilities, you don’t know what threats to be aware of until it’s discovered. Many IT professionals don’t have an asset management solution in place, and you can’t protect your organization if you don’t know what exists in your network environment.

The Dark Side of Shadow IT

Shadow IT has become an increasing source of concern for IT and security professionals, as employees or others connect equipment to networks or activate cloud applications outside your IT department or provider’s control and knowledge. This can open an organization up to many threats, including increased risk of data breaches, regulation violations, and compliance issues, as well as the potential for unforeseen costs. In the case of a zero-day vulnerability, it may also open your organization to unknown risks.

For example, let’s say you’ve installed a Grammarly browser extension to proofread and correct emails, but it’s not an approved service at your organization. If Grammarly announces a zero-day vulnerability, your IT team might think the organization is unaffected – and with no IT knowledge or control, the software may remain unpatched or misconfigured.

Protecting Against the Known and Unknown

There’s a saying that the smartest people aren’t the ones who know everything; they’re the ones who understand that they don’t know everything. When it comes to vulnerability management, the sentiment is the same. Instead of assuming your organization has all the bases covered, regularly conduct vulnerability scans to expose potential areas of risk that your organization may not have been aware of. Only then can those unknown vulnerabilities be prioritized, addressed, and remediated.

Implementing a vulnerability management solution should include ongoing, regular scans of the external network and internal assets in addition to periodic ethical hacking to simulate potential attacks and test defenses. Once vulnerabilities are identified, IT should then prioritize them based on criticality so that you know what to fix first in the event of an incident. A comprehensive cybersecurity program will also include a remediation or management plan to apply patches in a reasonable amount of time and plan for legacy systems as they are retired. This plan should document any accepted risks (risk tolerance will differ from one organization to another, depending on business priorities) and provide guidance on fixing the discovered vulnerabilities.

Finally, no comprehensive cybersecurity program is complete if the whole company is not on board. Organizations should encourage participation across the company as appropriate and facilitate knowledge sharing across groups to avoid information silos. Especially in the case of zero-day vulnerabilities, communication is key for efficient and effective remediation.

More Network Vulnerability Resources:

Webinar: Vulnerability Management: Getting down to brass tacks
Blog: Tackling the Emerging Vulnerability Trends of 2022
Blog: Why is Vulnerability Management Important?
Blog: Why is Vulnerability Management Important?