Zero-day vulnerabilities can seriously threaten all affected systems since there are no available fixes at the time of discovery (DepositPhotos)
Cybersecurity threats are rampant, and attackers are showing no signs of letting up. According to the 2018, Cyber Security Breaches Survey released last April, over forty percent of UK businesses fell victim to cyber attacks over the span of twelve months from 2017 to 2018.
Hackers can gain access to target devices through vulnerabilities that can be found across the many layers of a company’s IT infrastructure including software and applications.
Serious flaws in operating systems, for instance, could be exploited by attackers for them to take full control over compromised devices.
Some of these flaws may not even be known to developers. Known as zero-day vulnerabilities, these flaws can seriously threaten all affected systems since there are no available fixes at the time of discovery.
Even if these zero-day vulnerabilities become known, it can take some time for official fixes to be released by developers. According to Ponemon, zero-day vulnerabilities are the biggest threat to organizations with 64 percent reporting to be compromised through such flaws in the last 12 months.
The massive breach of credit reporting firm Equifax is often cited as an exemplary case of the threat of software vulnerabilities. The Strutshock flaw that was used in the attack was a zero-day vulnerability discovered in February 2017 and fixed in March 2017. However, the flaw remained allegedly unpatched in Equifax’s servers months after the fix was released, with the breach pegged to have occurred sometime in May 2017.
Hackers can take advantage of the lull between the discovery of the flaw and the application of the fix to attack. Companies can take an average of 100 to 120 days before applying patches to their systems. During this time, attackers can even automate the detection of vulnerable systems and write malware to exploit the flaw specifically.
Even devices with existing security systems can fall prey especially if users or administrators aren’t aware of the exploits or fail to apply stop-gap measures to prevent attacks. While not technically in its zero-day period during the Equifax breach, the event illustrates how slow reaction by companies to such vulnerabilities could lead to catastrophic results.
Businesses slow to act.
Once hackers have access to their target devices, they can steal data, implant malware, and even take over systems for use in other attacks. According to the same breaches survey, these attacks can cost organizations thousands of pounds a year in the form of stolen assets, downtime, and recovery efforts.
Despite this potential impact to their bottom line, businesses often find it challenging to act on these threats promptly. Many smaller operations are ill-equipped to manage their IT effectively. Even those with dedicated IT teams are only able to respond if they are made aware of the threats. For larger operations, infrastructure size and complexity can even increase the time needed to secure their systems fully.
“Companies, even small to medium sized ones, can have dozens or hundreds of endpoints in their networks,” says Robert Brown, Director of Services at Cloud Management Suite (CMS). “If an exploit is found, they have to make sure that all affected devices are properly patched. With limited resources, IT staff can take hours or days to apply fixes. This could give hackers enough time to successfully launch attacks.”
Developers and vendors of vulnerable systems often try to take prompt action but fixes often don’t come out overnight. For example, a zero-day flaw that affected various Windows operating system versions was revealed last August, but it took Microsoft two weeks to release the official fix. The flaw, which affected Windows’ task scheduler, can be used by attackers to gain system-level access to target devices, allowing them to install software, delete files, and execute programs remotely.
Inertia also an issue.
End users can also simply suffer from inertia. Users often overlook to update and upgrade their software even if it is considered one of the fundamental practices in IT security. Users tend to ignore update warnings and almost half of them are frustrated by the experience.
One only has to look at the market share of operating systems to see how resistant users are to change. Windows 7, which was released back in 2009, still accounts for over 40 percent of the market. Users chose to stick with the older version even when Microsoft offered free upgrades to Windows 10 to existing license holders. Microsoft already ended mainstream support for Windows 7 in 2015 though the developer will provide extended support until 2020.
Interestingly, 4.23 percent of desktops still run on Windows XP. Microsoft officially abandoned the defunct operating system in 2014. This continued use forced the company to release an emergency patch during the WannaCry ransomware outbreak of 2017. It was the same outbreak that crippled the National Health Service (NHS). The ransomware was able to infect some NHS computers that ran on the outdated Windows software.
What can be done?
Putting in place preventive measures such as anti-malware applications, firewalls, and automated updates should provide users and organizations with a level of protection. However, vigilance is key when it comes to vulnerability-based attacks. Zero-day flaws can be beyond the scope of protection provided by these measures.
Knowledge is critical. IT staff have to know about threats as they emerge so that they can perform the necessary steps to minimize risks. Sites and social media feeds of security portals like StaySafeOnline can provide timely information about emerging threats and trends.
Fixes must also be deployed with urgency. IT expert Bruce Schneier remarks that patching will continue to become a challenge since computers are becoming more embedded. He writes, “This gets us back to the two paradigms: getting it right the first time, and fixing things quickly when problems arise.”
Software developers should take responsibility for their products and services. These threats should compel them to put better engineering and quality assurance practices in place.
Fortunately, IT management and security solutions providers are also making strides to streamline software deployment. Services like CMS are even introducing mechanisms that allow administrators to use plain language instructions to run tasks such as software updates and patch deployment. These solutions could greatly enhance IT management especially since only a third of security professionals update their software automatically.
What remains essential is for all stakeholders to act in a timely manner in order to minimize the risk that these threats pose.
Ruben is a blockchain security consultant currently living in New York City. He helps organizations fundamentally redesign experiences to create new sources of value also digitally reinventing company’s operations for greater efficiency.
- Google Confirms 7th Chrome ‘Zero Day’ Vulnerability, Upgrade Now
- New Google Chrome Update Warning As Hackers Discover 7 Alarming Security Flaws
- This nasty Internet Explorer zero-day is now launching real-world attacks
- Google Hackers Reveal Websites Hacked Thousands of iPhone Users Silently for Years
- Russian hackers still target U.S., other foreign organisations: U.S. security agencies
- Help desk! NSA has simple step to beat phone hackers from stealing your info - turn it off and turn it back on
- Over 10 different threat groups exploit Microsoft mail server flaws, researchers say
- Spies for Hire: China’s New Breed of Hackers Blends Espionage and Entrepreneurship
- Spies for Hire: China’s new breed of hackers blends espionage and entrepreneurship
- Poly Network hacker gave back more than $600 million in stolen crypto
- Hackers Are Using Internet Explorer to Attack Windows 10
- Google’s Project Zero Is Making The Internet Safer
- Zero trust: there is more than one attack surface
- U.S. Government Shuts Down Stalker Software Company
- 8 Best Jewelry Insurance Companies: How to Insure an Engagement Ring, Necklace, or Family Heirloom
- RBI norms may slow asset sales by ARCs
- PM Modi's 88-Minute-Long Independence Day Speech from Ramparts of Red Fort: Full Text Here
- The Three Top Ways That Cyber-Hackers Will Criminally Make Money Off Of Self-Driving Cars
- Microsoft warns of hackers exploiting Windows vulnerability
- UN Peacekeepers Fathered Dozens Of Children In Haiti. The Women They Exploited Are Trying To Get Child Support.
|SoftBank Japan Prepaid Nano SIM Card, 3GB of Data for 7 Days! ACTIVATED! Ready to use! (check at Amazon)||1.0|
|SoftBank Japan Prepaid SIM Card, 3GB of Data for 7 Days! ACTIVATED! Ready to use! (check at Amazon)||5.0|
|Mustard Pancakes: Are Ready to Sing (check at Amazon)||5.0|
|ARES ETHOS QX130 ULTRA MICRO READY TO FLY RC QUADCOPTER (check at Amazon)||4.7|
|Ares AZSZ2550 Ethos FPV Ready to Fly QuadCopter (check at Amazon)||2.7|
|Ares AZS1100 ARES ULTRA-MICRO TRAINER 100 READY TO FLY RC AIRPLANE (check at Amazon)||0.0|
|Ares AZSZ2500 Ethos HD Ready to Fly QuadCopter (check at Amazon)||0.0|
|Ares AZSH1500 Ares Ethos PQ Ready to Fly Quadcopter (check at Amazon)||0.0|
|Ares AZS1350 Taylorcraft Ready To Fly RC Airplane (check at Amazon)||0.0|
|Ares AZS1300 ARES TIGER MOTH 75 NANO MICRO READY TO FLY RC AIRPLANE (check at Amazon)||0.0|
|24 Hour Fire Dept. Electric RC Truck 1:16 Scale Rescue Zero Team Ready To Run RTR, Monster Truck Styling (check at Amazon)||0.0|
|Supreme Rescue Zero Team Electric RC Fire Truck Ready To Run RTR w/ Adjustable Rescue Crane, Retractable Ladder (check at Amazon)||0.0|
|ARES GAMMA 370 READY TO FLY RC AIRPLANE (check at Amazon)||0.0|
|Ares AZSZ2400 Ares Optim 80 CP Ready to Fly Helicopter (check at Amazon)||0.0|
|ARES GAMMA 370 PRO READY TO FLY RC AIRPLANE (check at Amazon)||0.0|
|ARES ETHOS QX75 NANO MICRO READY TO FLY RC QUADCOPTER (check at Amazon)||0.0|
|Tex RC Zero 4 Channel Warbird Ready to Fly 2.4ghz Wingspan 650mm (check at Amazon)||0.0|
|Tex RC Zero 4 Channel Warbird Almost Ready to Fly Wingspan 650mm (check at Amazon)||0.0|
|Ares AZSH1250 CHRONOS FP 110 ULTRA MICRO READY TO FLY RC HELICOPTER (check at Amazon)||0.0|
|Disney 2-Pack Mickey Mouse Clubhouse 96 Page Coloring Book Set for Kids "Are You Ready to Go?" and "Big Air" (check at Amazon)||5.0|
|2012 Annalee Dolls 5" *Snowflake Songbird* Ready to Brighten Your Day (check at Amazon)||0.0|
|Disney Mickey Mouse Clubhouse Coloring Book - Minnie Mouse & Daisy - Are You Ready to Play? (check at Amazon)||0.0|
|MREs (Meals Ready-to-Eat) 15-day Emergency food supply - 180 tablets box 25 Years Shelf Life - Butterscotch Flavor (check at Amazon)||1.0|
|Are You Ready to Rock (check at Amazon)||0.0|
|Are You Ready To Learn (check at Amazon)||0.0|
|Are You Ready to Testify: Live Bootleg Anthology (check at Amazon)||0.0|
|Kekkonshikinouta/ Are You Ready to (check at Amazon)||0.0|
|Are You Ready to Testify: The Live Bootleg (check at Amazon)||0.0|
|Mashed Mugs - I (Mustache) You A Question - Are You Ready To Be An Aunt?/Uncle? - 2-Pack Jumbo Coffee Cup/Tea Mug (White) (check at Amazon)||0.0|
|1 Year Food Supply for 1 Person At 3 Servings Per Day - 1080 Serving Supply - Long Term MRE Ready to Eat Food Supply (check at Amazon)||0.0|
|Portfolio Canvas Decor Framed and Stretched Ready to Hang Radiant Day I Canvas Wall Art by Frank Parson, 24 x 24"/Large (check at Amazon)||0.0|
|1 Pair Unpainted Ceramic DIY Skull -C- Wedding Cake Topper Figurine Ready To Paint Day of the Dead Skull Crafting Projects (check at Amazon)||5.0|
|Clear Glass Christmas Ornaments Are Expertly Crafted And Ready To Decorate (Set/8) (check at Amazon)||0.0|
|Suncatchers, Crystal Clear 4" Squares Are Ready To Decorate. (Lot of 6) (check at Amazon)||0.0|
|Suncatchers, Crystal Clear 3" Squares Are Ready To Decorate (Lot of 6) (check at Amazon)||0.0|
|10 Pcs. Unpainted Ceramic DIY Skull Pendants Bead Mini Figurine Ready To Paint Day of the Dead Crafting Projects (check at Amazon)||0.0|
|1 Pair Unpainted Ceramic DIY Skull Wedding Cake Topper Figurine Ready To Paint Day of the Dead Skull Crafting Projects (check at Amazon)||0.0|
|Suncatchers, Crystal Clear 4" Squares Are Ready To Decorate (Lot of 6) (check at Amazon)||0.0|
|Monistat 1-Simple Therapy-Vaginal Antifungal 1-Day Treatment 0.16-Ounce Prefilled Applicator, Ready to Use (check at Amazon)||0.0|
|Nature's Best Isopure Ready-to-Drink, Passion Fruit (Zero Carb), 20 Ounce/12-Case (check at Amazon)||0.0|
|Natures Best Isopure Zero Carb Ready-to-Drink, Coconut, 20 Fl Oz (Pack of 12) (check at Amazon)||0.0|
|Natures Best Isopure Zero Carb Ready-to-Drink (check at Amazon)||0.0|
|Nature's Best Isopure Ready-to-Drink, Blue Raspberry (Zero Carb), 20-Ounce/12-Case (check at Amazon)||0.0|
|Nature's Best Isopure Ready-to-Drink, Pineapple Orange Banana (Zero Carb), 12 Count (check at Amazon)||0.0|
|Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (check at Amazon)||0.0|
|Ready, Fire, Aim: Zero to $100 Million in No Time Flat (check at Amazon)||0.0|
|The Grammar Teacher's Activity-a-Day: 180 Ready-to-Use Lessons to Teach Grammar and Usage (check at Amazon)||0.0|
|Are You Ready to Play Outside? (An Elephant and Piggie Book) (check at Amazon)||0.0|
|Are You Ready to Start Your Own Business?: A Sanity Check for Those Who Dream of Self-Employment $9.99 (check at Amazon)||5.0|
|Zero-Day Exploit:: Countdown to Darkness (Cyber-Fiction) (check at Amazon)||0.0|
Hackers are Ready to Exploit Zero-Day Flaws; Companies are Slow to Act have 2089 words, post on readwrite.com at February 27, 2019. This is cached page on USA Breaking News. If you want remove this page, please contact us.