What are Zero-Days?

You may have seen references to zero-days (or 0-days) a lot recently with the Apple and Google Chrome vulnerabilities. The social media posts from companies make it seem like 0-days are the worst things in the world. But are they as bad as they seem? Is a 0-day worse than a 1-day? Let’s take a dive into the world of vulnerabilities to understand all the commotion around zero-days. 

Portrait of a businesswoman using laptop in office

Yes, They Are Bad

If a vulnerability is classified as a 0-day, that means the attackers found it before the vendor was able to find it. So, it is likely being actively exploited and the burden is on the vendor to create a patch, and fast.   

As an aside, this brings me to an important point – update your systems! A lot of IT professionals like to stay one OS behind the current because they believe the newer operating system is prime for zero-days. And while you may be fine to wait to make big jumps from Windows 10 to Windows 11, once vendors start releasing patches (10.x.x) it is critical to continuously update. Even if the description says “software improvements,” there is still a large chance that there are security updates baked in.   

With the updating systems point aside, I do want to reiterate that zero-days are critical vulnerabilities that put your systems at risk, but there are few actions you can take on your end until the vendor releases a patch, except for general best practices and ceasing use if possible.  

Do 1-Days Exist? 

Short answer, no. There are a few different ways to classify and/or score vulnerabilities, but 0-days are widely known as the riskiest. Some providers will use simple severity ratings (high, medium, low), or other relevance scores. You’ll often see a CVE or CVSS score in conjunction with whichever ranking your provider gives a vulnerability. CVE, or Common Vulnerabilities and Exposures, is a glossary of all vulnerabilities. CVE then uses CVSS (Common Vulnerabilities Scoring System) to determine the threat level of a vulnerability. Once a vulnerability receives a CVSS score, NIST (National Institute of Standards and Technology) will do a second level of analysis and add the vulnerability to their own glossary. NIST and CVE are your best resources to determine the severity of the vulnerability.  

Close up low angle view of a man working from home on a laptop computer sitting at a desk surfing the internet

How Can We Protect Against Zero-Days? 

As we’ve established, 0-days are critical and deserve your attention. As we’ve also established, most of these vulnerabilities are resolved on the vendor side. However, this doesn’t mean your business has no hope in defending against exploits. Any and all forms of Advanced Threat Protection (ATP) and/or Endpoint Management can provide an extra layer of security when waiting for patches to be released. Since many of these exploits are at the user level (operating systems, browsers, applications), an endpoint management solution can add an additional layer of protection.   

Intrusion Detection & Prevention software provides pre-configured rules for some of the most common risks like trojans, botnets, and even phishing. If a 0-day is being exploited in your environment, IDPS tools are your first alert and can ensure you aren’t finding about a security risk ten months down the road.   

Backups, backups, backups! Backups aren’t going to stop any exploits from happening, nor will they alert you when there is a malicious actor in your system. Backups are critical for stopping the spread of an exploit. If you have quality backups, your business can failover to another server or system until the attack has been remediated. They can be costly, but backups are worth their expense ten times over when configured and utilized correctly.  

And of course, make sure your BCDR plan has a plan for zero-days in business-critical services! 

 


 

Would you like to learn more about Disaster Recovery & Business Continuity? Learn more how we can build custom Disaster Recovery (DR) solutions tailored to your unique IT operations.

 

Comments