When zero-day vulnerabilities, or zero-days for short, make headlines, cybersecurity professionals around the world scramble to mitigate them because they understand how severe the consequences of failing to act in a timely manner can be, for a zero day vulnerability.
Since 2014, Google’s Project Zero team has been looking for zero-day vulnerabilities in the wild to help defenders keep up with cybercriminals. Despite its ongoing efforts, zero-day vulnerabilities continue to be among the most impactful cyber threats, and the team’s latest findings reveal that the situation is not getting any better.
6 Critical Cybersecurity Policies Every Organization Must Have
Zero-Days Have Reached Record Numbers
Between 2015 and 2020, the number of detected zero-day vulnerabilities has remained relatively flat, hovering somewhere around 25. Last year, however, the Project Zero team detected 58 zero-days, an increase of 132 percent compared with the year before.
“We believe the large uptick in in-the-wild zero-days in 2021 is due to increased detection and disclosure of these zero-days, rather than simply increased usage of 0-day exploits,” writes the team.
In other words, the number of detected zero-day vulnerabilities has gone up because software vendors are reporting them more often. Apple and Google Android, for example, have been disclosing and labeling zero-days only since November 2020 and January 2021 respectively.
This is both good and bad news. It’s good news because it means that software organizations large and small we rely on aren’t getting worse in terms of security. But it’s bad news because there are still many, many software vendors that have yet to start reporting zero-days.
Until that happens, a substantial portion of successfully exploited zero-days will likely go unnoticed, and the customers of such vendors will be the ones paying the highest price.
Same Tricks, Same Results
Zero-day vulnerabilities are widely considered to be one of the most sophisticated weapons attackers have at their disposal. Given their nature, it makes sense to assume that these weapons are one-use only.
In reality, the findings published by the Project Zero team show that cybercriminals keep using the same tricks instead of constantly inventing new exploitation methods.
Using these well-known techniques, attackers in 2021 were able to exploit everything from web browsers like Google Chrome, Safari, and Internet Explorer to the Windows operating system to Microsoft Exchange Server—the software most enterprises and SMBs alike rely on every single day.
The reason why the same tricks keep getting attackers the same results is simple: software vendors and their software users keep making the same cybersecurity mistakes.
Zero-Day Attack Prevention Tips
“To successfully exploit a vulnerability, there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful),” explains the Project Zero team.
An effective zero–day attack prevention strategy must address both the vulnerability itself and the exploitation method by focusing on:
- Software vendor evaluation: Companies like Microsoft and Adobe have been properly disclosing zero-day vulnerabilities for many years now, but others haven’t been equally well-behaved. Before partnering with any software vendor, organizations should perform an in-depth evaluation to determine if they can count on the vendor to let them know that a zero-day has been discovered.
- Continuous risk-based patching: Most software vendors rush to patch discovered zero-day vulnerabilities because they are deeply familiar with their implications. Instead of delaying patching in the name of productivity, organizations should do the same and install available patches as soon as possible, in the order of their importance.
- Cybersecurity awareness training: Zero-day attacks frequently start with phishing emails that are supposed to convince employees to download and launch an infected file, and the most effective protection against phishing is cybersecurity awareness training.
- The principle of least privilege: Just like you don’t use only one key to unlock all doors in your office building, one set of login credentials shouldn’t grant unrestricted access to your network. Practicing the principle of least privilege makes it far more difficult for attackers to turn a zero-day vulnerability into something useful.
- Incident response plan: It’s always a good idea to plan for the worst. A comprehensive incident response plan can help ensure a quick and uniform response to any type of external threat, including a zero-day attack.
These five zero-day attack prevention tips alone can make a huge difference, but it’s paramount to put them into practice sooner rather than later.
Conclusion on Zero Day Vulnerabilities
Zero-day vulnerabilities are among the most dangerous cybersecurity threats out there, but the collective effort of software vendors and software users to protect themselves against them still leaves a lot to be desired.
Fortunately, there are several steps that any organization can easily take, and we at OSIbeyond are here to help.