“Think fast! You’re about to be hit,” sounds like a schoolyard challenge. But IT administrators know that the next worm or virus could rip through their systems with just as little warning.Zero-day attack refers to the propagation of a virus, worm or hack targeted at a specific vulnerability on the same day that the vulnerability becomes known. In other words, there are zero days to respond to such an attack.Text
In fact, the time it takes for a known vulnerability to be exploited by some sort of malware has fallen precipitously in the past three years. From the time that the vulnerability became known, the Slammer worm took six months to hit, Sasser took three weeks, and the Witty worm took two days. One of 2005’s best-known worms, Zotob, started making the rounds six days after the vulnerability was identified.
Today, many IT security observers believe that zero-day attacks are imminent – if, in fact, they haven’t already happened.
Zero-day attack refers to the propagation of a virus, worm or hack targeted at a specific vulnerability on the same day that the vulnerability becomes known. In other words, there are zero days to respond to such an attack. In fact, the attack itself may just be how administrators learn that there is a vulnerability.
Eli Dezelak, senior product manager with Telus Business Resiliency team, a Telus Business Solutions unit, says such attacks may have already occurred, but the impact might have been so minor that no one noticed, or bothered to report it.
“The real question is when will a very prominent attack happen,” he points out. “If it happened tomorrow, I wouldn’t be surprised.”
In contrast to the speed that worms are currently being developed and deployed, it takes companies 54 days on average to patch their machines, according to Dezelak.
This lag is simply due to the large number of machines to be maintained and the multitude of patches being issued by vendors. In addition, companies need to ensure the stability and impact of patches before applying them, and they can’t impede normal business activities in the process.
The zero-day scenario implies that there is nothing companies can do to anticipate an attack when they don’t even know what the vulnerability is. But does zero-day mean that there is nothing they can do?
Dr. Clemens Martin, associate professor at the University of Ontario Institute of Technology, and director of the university’s IT Programs and Hacker Research Lab, is not optimistic.
“There isn’t much that companies can actually do,” he says. “It really depends on how the zero-day attack will be crafted and what vulnerability will be exploited. If we’re lucky, it will exploit a widely spread vulnerability that doesn’t affect systems that are too critical. But it could just as well be in some very critical infrastructure, and that will be really problematic.”
Like many security experts, IDC Canada’s vice president of security research, Joe Greene, believes “the cure is really prevention” – in particular, prevention through effective technology.
According to Greene, a promising approach is the one taken by Telus Corp. with its recently released End Point Data Security Agent based on Cisco Systems technology, one of a new breed of security tools that uses anomaly detection to spot malicious exploits.
Martin agrees. “Probably the best defense will be to work with anomaly-based host and network intrusion detection systems that can react to something that they have not seen before.”
As the name implies, the End Point Data Security Agent may be installed on almost any end point in a network including workstations, servers and network access points. Its job is to look for malicious activity or suspicious behavior and stop that behavior from happening.
Although the effect is similar to the action of a firewall, explains Dezelak, it goes much deeper than a firewall. It is able to look at activity within specific applications (e.g. Word) rather than just packets. End Point Data Security Agent also looks at activity in OS kernels or any other process it is directed to monitor.
The software doesn’t rely on the detection of known signatures or the application of patches to be effective. It just monitors the machine’s behavior for anomalies. Administrators may set up the system to send alerts to the user and a central administrator when specific behaviors are detected.
Many companies have a security operations centre, or use outside experts to provide security-monitoring services. Such products may be a good complement to intrusion detection systems used by these services.
Having in-house expertise is also a distinct advantage, according to Martin. “Companies that have trained team on staff that deal with security issues, and know what an attack looks like, will have the advantage of being able to react more quickly.”
It’s also important to stay informed and active in the security community, he says. There are several industry and law enforcement groups that do worldwide threat monitoring, and who are aware of new exploits. These are excellent places to get information as quickly as possible.
Both Greene and Martin agree that there is only so much that companies can do. Software and hardware vendors also have a critical role in mitigating the effects of a zero-day attack.
As Greene puts it, “A lot of the producers of hardware and software on the market today have got to be much more vigilant about supplying products that don’t have holes, that don’t give us vulnerabilities.”
An additional measure, suggests Martin, is to avoid a system monoculture — admittedly a long-term strategy. While vulnerabilities exist on all systems, a healthy mix of equipment from several vendors may help reduce the risk of the entire system going down in the event of an attack.
One tactic that all recommend unreservedly is to ensure that a good disaster recovery system is in place, including backups of all critical data.