As businesses take ever greater steps to secure their corporate networks and protect themselves from hackers and viruses, the writers of such malicious programmes have become more keenly focused on exploiting previously unidentified vulnerabilities that will allow them to bypass the security measures already in place. The tools they use have also grown increasingly sophisticated allowing more frequent and harmful attacks, that have more in common with traditional terrorist attacks in their unpredictability and severity, and their often indiscriminate choice of victim.
Organizations need to be aware of the huge potential damage a successful Zero Day attack could cause to their organization, and take effective measures to minimize the harm caused. Prevention rather than cure is the key to surviving this new threat.
So what kind of attacks fall under the banner of 'Zero Day'? The name refers to the very first point at which a vulnerability is identified, or a virus, worm or Trojan unleashed. It is at this point that no preventative patches have yet been issued, and anti-virus software has not been programmed to deal with the offending code. This is what makes Zero Day attacks so dangerous. The attacks are unexpected and also untreatable for some time, allowing them to be exploited or spread with impunity while a suitable 'cure' is found and implemented. This window of vulnerability dramatically increases the number of affected systems as well as the severity of the damage caused to those affected. Research shows that Internet Explorer users can be open to potential attack without a cure for an incredible 5 weeks while waiting for the latest vulnerability to be patched.
Zero Day attacks can also include denial of service (DoS) attacks, whereby a website or server is bombarded with so much internet traffic that it cannot cope with the volume and shuts down. In all of these scenarios, the key point is that these kind of attacks mark a real change in the nature of internet-borne threats. Today it is the unknown that is causing the problems, rather than the expected tides of viruses and hacking attempts that organizations have become used to.
Zero Day attacks are so hard to prevent because they involve vulnerabilities that have not been discovered yet – so how are they to be protected? Research firm Qualys found that it takes 21 days for a business to fix just 50% of its systems that are vulnerable to a particular worm or attack, showing exactly how disruptive these new threats can be. The timing of the attacks has also become very unpredictable, moving away from significant dates and celebrations to seemingly random times that depend on nothing other than when a vulnerability has been identified. This is compounded by the increasing financial incentive for such attacks, with large online transactional businesses such as casinos increasingly at risk of blackmail to avoid a DoS attack or compromising hack.
All these factors make 'prevention rather than cure' sound like a hopeless cause, but there are ways to ensure that an organization is better protected. Put simply, relying on a firewall is not enough. Firewalls, while an essential part of an integrated security solution, will only protect users from known threats that can be identified at the network perimeter and refused access. What is needed is a comprehensive system that allows both immediate and automatic implementation of patching as soon as it becomes available, combined with a multi-layered defensive strategy that uses all the technology available to ensure that only authorized users are granted access to the network (thus preventing entry by hackers), and monitor traffic for any signs of malicious code. Behavioural analysis is key to anticipating which types of traffic pose a threat, while signature-based intrusion prevention can limit exposure even further.
This kind of holistic defensive strategy adds a proactive dimension to firewall protection, and ensures that the effects of Zero Day attacks can be minimized by making the window of vulnerability as small as possible. When you're dealing with the unknown, it pays to get to know your enemy as well as possible, as quickly as possible, and to use what you learn to prepare for the next time around.
The author is UK MD of Sygate.