If you’re plugged into the world of cybersecurity, then you’ve most likely come across breathless reports of new “zero-day” vulnerabilities hitting the wild. And, on the surface, these sound terrible… but do you understand what that means?
A zero-day exploit is a significant, but not world-ending, security flaw affecting systems without anyone having noticed them yet. Rather than a cause for worry, these issues call us to remain ever-vigilant against potential security issues and our responses to them.
What Are Vulnerabilities and Exploits?
While we commonly refer to hackers as “attacking” systems, but in security circles, we more accurately refer to hackers exploiting systems. This is because hackers are, in essence, finding different security vulnerabilities in these systems and leveraging them as part of their attacks.
Thus, there is an intimate relationship between the reality of system vulnerabilities and the exploits that arise from them, enabling hackers to infiltrate systems.
Some common categories of vulnerabilities include the following:
- Complex System Interactions: Vulnerabilities emerge as data moves between them for large cloud systems, or systems composed of on-premise and vendor-provided apps and services. This isn’t inevitable, per se, but it’s incredibly difficult to avoid. Understandably, because large and complex systems are harder to manage at the level of data interactions, it’s common for cross-system vulnerabilities to emerge unexpectedly.
- Unpatched or Unaddressed Bugs: Computer systems have bugs, which is often inevitable. A bug is an error in the code or interface that provides a hacker an attack vector based on issues like unsanitized inputs or an unintended exposure of system data. As bugs become known in the wild, developers and tech companies must create and roll out patches to eliminate them, but businesses drag their feet on addressing these bugs more often than one would think.
- Poor Configuration Management: Outside direct bugs, configuration errors related to identity and access management, system interactions or other confidentiality controls can open up a system to attack because, for example, they could allow a hacker different ways to attain elevated permissions as they move laterally through a system.
- Poor User Practices: Simple passwords, passwords reused across multiple platforms, failure to change default passwords, sharing credentials or storing them physically in public spaces… practices that make users’ lives easier also make your system more vulnerable.
- Social Engineering: Outside obviously “bad” or “insecure” user practices are the reality of user manipulation through social engineering. Phishing attacks are some of the most prominent forms of vulnerability globally, and some of the most famous hacks originate from phishing or other social engineering.
Likewise, there are several types of exploits associated with these vulnerabilities:
- Hardware Exploits: As the name suggests, these exploits refer to attacks that leverage access to physical system hardware. This is a rather broad category–hardware vulnerabilities can include physical access to the hardware (like a hacker installing a drop box in a physical server room to bypass remote access security) or firmware attacks (like rewriting hardware firmware on a motherboard or RAM). Some hardware exploits will manipulate the physical reality of a computer system to steal data. For example, the rowhammer exploit will continually rewrite data to an allowed location in memory to instigate soft memory errors that can allow the attacker to escalate their system privileges.
- Software Exploits: We normally think of “hacking,” software exploits come from bugs in software or interactions between different types of software.
- Administrative Exploits: Social engineering, phishing, etc. These exploits leverage gaps in knowledge, operations, or processes around technology and data access.
While these exploits are differentiated by their access points, the reality is that modern hacks often chain together several exploits across different categories. For example, it’s rare that an attacker simply brute-forces their way into a system remotely. Instead, the hacker may spend weeks gathering data on the organization, only then launching spear-phishing attacks against IT staff. Once in the system through an exposed admin account, they can use remote software and hardware exploits to elevate privileges, move laterally through the system and implant tools to automate data collection.
What Is a Zero-Day Exploit?
A special category of exploit is the “zero-day” exploit. If you’ve ever read publications in the security or enterprise IT industries, you’ve probably come across this term about new or emerging security threats. Recent examples include the Log4Shell vulnerability in the Java Log4j logging framework that left Apache web servers vulnerable to attack.
Some of the terms that revolve around the concept “zero-day” include the following:
- Zero-Day Vulnerability: The core vulnerability. Zero-day vulnerabilities haven’t been noticed by the software or hardware manufacturer and, as of yet, remain a threat. In most cases, zero-day vulnerabilities are exposed to relevant parties by security experts like white-hat hackers, security analysts or security specialists inside tech companies that work directly with the technology. The important thing to know about a zero-day is that there is no patch or update yet created for it, so long as it remains zero-day.
- Zero-Day Exploit: Just because the vulnerability exists doesn’t necessarily mean that it is a direct threat… that is, until zero-day exploits start emerging. A zero-day exploit is an exploit that attacks a zero-day vulnerability. This is perhaps the most dangerous kind of exploit–once an exploit like this exists, it is a race against time to patch the vulnerability before the exploit becomes well-known enough for widespread use.
- Zero-Day Attack: Attackers, if they find a zero-day vulnerability, can exploit it before anyone knows that vulnerability even exists. Such zero-day attacks are perilous because they focus on weaknesses that are either completely unknown or, if known, unpatched.
When a zero-day is announced, it’s usually done privately to the affected organization, who may or may not decide to address it based on risk analysis. If large tech enterprises fail to address these vulnerabilities, then some security experts will escalate with public disclosures in the interest of public safety.
What Is the Common Vulnerabilities and Exposures (CVE) Database?
To help security pros address vulnerabilities, especially new zero-days, a database of common terminology and organization of such exploits called the Common Vulnerabilities and Exposures (CVE) exists.
Maintained by the U.S. National Cybersecurity FFRDC and the Mitre Corporation, the CVE database organizes known vulnerabilities with specific identifiers. A CVE ID is assigned to vulnerabilities under certain criteria:
- Independently Fixable: The vulnerability exists independently and not as the result of another vulnerability.
- Affecting a Single Codebase: The flaw only impacts one product or service. For example, Log4Shell had a significant impact on multiple servers, but its impact was limited to the Apache server software platform.
- Documented by Vendor: The vendor has acknowledged and documented the vulnerability. In some cases, the vendor may resist accepting the vulnerability, in which case documentation can occur when the zero-day directly conflicts with established security and privacy standards for that vendor.
Gaining a CVE number is an essential step toward fixing zero-days. They mark a common recognition of the problem, using a shared language and understanding of the threat, with a tacit understanding that someone is working on a fix.
Stay Ahead of Zero-Day and Emerging Exploits with Continuum GRC
In the modern world of compliance and security, it’s not enough to just get by. Enterprises need to stay abreast of the threatening world of evolving security vulnerabilities, including zero-day exploits.
With the Continuum GRC platform, you can combine compliance management, risk management and expert security support with helping you remain proactive, rather than reactive, to existing and zero-day vulnerabilities.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS
- IRS 1075
- COSO SOX
- ISO 27000 Series
And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.