What are Zero-day exploits?

Written By Todd Mitchell

A zero-day vulnerability is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. It has the potential to be exploited by cybercriminals.

One approach to resource allocation for cyber defense is to rely on existing cyber defense technologies and concentrate efforts on detecting and mitigating zero-day vulnerabilities.  Based on research allocating a majority of the resources to zero-day attacks is not the best method. One of the first actions in foot printing an organization is information gathering. This includes domain name reconnaissance, searching for email addresses, and port scanning (Weidman, 2014). There are various tools to enable this scanning that are available open source on the internet.

The vulnerabilities found during information gathering on software like Nmap can be used in conjunction with applications like Metasploit to explore and penetrate the network defenses. These types of software combine known vulnerabilities and known exploits, not zero-day attacks, to infiltrate a network. Patching these known vulnerabilities does not always improve the safety of the network against zero-day attacks (Wang, Jajodia, Singhal, Cheng, & Noel, 2014). However, it is much easier to exploit from a known vulnerability.

Research shows that only 11 zero-days were observed in the 1st quarter of 2013 (Popa, 2013). This numbers pales in comparison to the millions of attempted attacks on the pentagon per day. The allocation of resources should be on awareness and correcting known vulnerabilities.

The most dangerous time in a zero-day is actually after the vulnerability is discovered by hackers but before the exploit is elevated to have a security patch coded. In fact, the average vulnerability window of a zero-day exploit is about 10 months (Leyden, 2012).

I could not find any evidence that the damage is more or less from an attack of known or zero-day exploit. I think there would be no difference. The damage would come from the nature of the attack and how successful it was.

References

Leyden, J. (2012). Hackers get 10 MONTHS to pwn victims with 0-days before world+dog finds out. The Register.Popa, M. (2013). Analysis of zero-day vulnerabilities in java. Journal of Mobile, Embedded & Distributed Systems, 5(3), 108-117. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=iih&AN=93618613&site=eds-live&scope=site

Wang, L., Jajodia, S., Singhal, A., Cheng, P., & Noel, S. (2014). k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities. IEEE Transactions on Dependable & Secure Computing, 11(1), 30-44. doi:10.1109/TDSC.2013.24

Weidman, G. (2014).  Penetration Testing: A Hands-On Introduction to Hacking. San Francisco, CA: No Starch Press.

Todd Mitchell
Previous

can’t afford to prevent an attack, wait until you see how much damages cost
Next

How much does data loss cost a business owner?