Best Defense Against a Zero-Day Attack is Yesterday

One of the most indefensible threats today’s enterprises face is known as a “zero-day attack”.  A zero-day attack is first found as vulnerability or software flaw that leaves an enterprise exposed to an attack before a patch or workaround is available. These vulnerabilities can be found in operating systems, applications and hardware. Sometimes zero-day vulnerabilities are unknown to all but a cyber attacker or a supplier who sells zero-day discoveries on the black market. In other cases, the software vendor knows about the vulnerability but has not yet issued a patch.

This is potentially very dangerous to an enterprise because updating malware definitions and anti-virus will not prevent a zero-day attack and patching your systems is ineffective as no patch is available yet. In many cases, not even multi-layered “defense-in-depth” security schemes are enough to prevent a zero-day attack from hitting your IT assets.  According to Symantec’s Intelligence Report the top 5 zero day vulnerabilities left companies without a patch for 295 days in 2014.

Microsoft Attacks

Zero-day attacks targeting Microsoft software often hit right after Microsoft delivers its patches. Cybercriminals have found that they can take advantage of Microsoft’s monthly security update cycle by timing new attacks just after Patch Tuesday – the second Tuesday of each month when Microsoft releases its fixes. These attacks will make Microsoft aware of the new vulnerabilities, but unless the vulnerabilities in question are extremely dangerous it will be a month before the software maker has a chance to respond. Security experts have coined the term “zero-day Wednesday” to describe that strategy.

Waiting for a patch or workaround can put an enterprise in a very jeopardizing position and there is no “silver bullet” for this situation. But what enterprises can do is make sure their backups are current and tested. Once the specific vulnerability notification has been issued by the software/hardware manufacturer enterprises can prioritize the servers that are affected and or most vulnerable.

Here are some useful steps to help mitigate against a zero-day attack:

  • Make a separate backup policy for the vulnerable application(s)
  • Include versioning for recovery point objectives
  • Have a virtual or physical standby server ready
  • Create a clone of the entire OS image
  • Test for zero-day attack

Of course always pay attention to the software/hardware manufacturer notifications to stay ahead of threats.