Prudence over panic

broken lock 

From intelligence reports and breaking news to vendor security alerts, cybersecurity and IT personnel are inundated with news about the latest zero-day warnings, alerts and alarms. While the response process is the same for any vulnerability, zero-day vulnerabilities tend to trigger a heightened sense of urgency within an organization, leading to tighter timelines, less testing, and a more aggressive stance that is usually based on fear, uncertainty and doubt.

In these cases, that hyper-focus on the zero-day tends to negatively impact or blunt an organization's response to vulnerability management in general.

Zero-day vulnerabilities have become commonplace, targeting major companies and applications that millions of users rely on every day. From Adobe to Microsoft, no vendor is safe from vulnerabilities in their software, and every organization that relies on software is a target. The frequency and potential consequences of a successful zero-day attack ensure that they often become the primary focus of cybersecurity professionals and IT personnel. But are we too focused on zero-day threats?

1. Balancing the threats and response

Take the recent ransomware outbreak WannaCry as an example. Although it's being treated as an exploitation of a zero-day vulnerability, it's actually a 60-day vulnerability; the patch was released in March 2017. WannaCry demonstrates that cybersecurity analysts and security managers must balance between the immediacy of zero-day exploitation and the risks associated with unresolved, known issues.

In psychology, a phenomenon called weapon focus is a behavior exhibited by a victim of a crime who focuses on the weapon used versus details about the assailant. This tunnel vision is innate to us as we focus on the most immediate threat to life. Many security managers also experience weapon focus when it comes to zero-day vulnerabilities; they perceive it to be the biggest immediate risk and redirect the majority (or all) resources and consequently ignore the plethora of old and open vulnerabilities and configuration issues across the enterprise. The reality is that an organization is more likely to be impacted by old unpatched vulnerabilities in Adobe, Java or Flash than they are a newly released zero-day remote code executable vulnerability in the Windows operating system.

When focusing on the newest zero-day, an organization may lose focus on correcting older and less publicized vulnerabilities, testing cycles may be accelerated such that not all business systems or processes are tested, and a patch that is intended to correct the issue may ultimately fail – or worse – cause a new one.

2. What to do

To combat the negative impacts of a zero-day -- not just the impact on your network and systems, but also your business, your processes and mission -- it's critical that organizations use a defined process to evaluate tolerable and acceptable risk of all vulnerabilities as they're discovered. Zero-day vulnerabilities should be assessed and acted on in accordance with the organization's process, just like any other vulnerability.

Lastly, a survey of essential and critical systems and networks across the enterprise would allow for a deeper level of introspective analysis and perspective. These data points, centrally aggregated and normalized, can then be processed using a consistent and repeatable mathematical model to avoid organizational data skewing and other outside influences. Using such a method would provide a quantitative answer -- far more reliable than the gut feeling that many rely on.

Organizations should continue to monitor and review media and intelligence reports for zero-day vulnerabilities, but they should assess them in accordance with existing processes, which should take into account active/passive defenses, asset and configuration management, and the risk acceptance and tolerance of senior leadership. The assessment process should be repeatable to demonstrate consistency, scalability and reliability in the results.

By following these tactics, every vulnerability will receive the attention it deserves, allowing analysts and executives to place the appropriate emphasis and resources behind each investigation and resolution, rather than rushing to address zero-day issues that may be less important than older, known vulnerabilities.

About the Author

Marvin Marin is a technical program manager at NetCentrics Corp. and was a 2016 Finalist for the EC-Council Foundation's Chief Information Security Officer of the year.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.