August 14, 2014

Zero Days Explained

In today's Whiteboard Wednesday, Trey Ford, Global Security Strategist at Rapid7 will discuss zero days.

Trey will discuss how zero days are discovered in the wild and how attackers take advantage of these unknown exploits for personal gain.

Read Video Transcript

Hi, I'm Trey Ford, Global Security Strategist with Rapid7. This week's Whiteboard Wednesday, we're going to talk about zero-days. What is a zero-day? Zero-days are effectively a vulnerability that has no known fix. Sounds like the end of the world, like a worst case scenario. I'm not going to say it's not a big deal, but the sky isn't falling.

Maria does a great job with these graphics. I don't think about this as aliens coming after us. This isn't something that we have no known defense for. Zero-day vulnerability is something that a researcher found that there's no patch available. These notifications happen all the time and we need to be aware that those things are happening. Understand that to find an O-day requires a certain level of expertise, a certain set of skills and knowledge, and the population of people that are looking for these vulnerabilities is surprisingly small. It takes a lot of expertise. That also means the market value for O-day is extremely high.

So, whether you're talking about a coordinated disclosure program or a bug bounty programs, where white hat security researchers, the good guys, will be working to help find fixes and communicate these back to the manufacturers and the software companies. There's also market where these O-day vulnerabilities will be sold to criminals or to governments or for other purposes. Not passing judgment on that, but you need to be aware that they exist. You also need to know their prices, they're extremely valuable. Some of them range from $50 to $100 grand, sometimes more sometimes less, but know that the boogeyman's not coming after you. This isn't some alien force you can't stop.

They're not going to burn O-day on just anybody. They're not going to cast a really wide net. The more they use the O-day, the more likely that it's going to be found and it's going to be patched and the value of that O-day will be brought to zero. So know that whether you're talking about a government entity that's potentially interested in governmental negotiation or a diplomatic engagement, or if we're talking about corporate espionage, where they're looking for trade secrets or trying to steal the secret blend of herbs and spices from K.F.C, they're coming after something very specific. So over time the O-day is going to lose its value.

The other thing to keep in my is that O-day vulnerabilities are going to exist in software. Anything running software that's connected to the network that may be accessible is going to have vulnerabilities inside of it. It's built by humans. It's going to have weaknesses. So don't let O-day necessarily scare you or drive your process. Build that in, be aware, make sure you rotate layers of security.

Finally, when you hear about an O-day bulletin that comes out, take a look at the software package, what the dependencies are, what the known information is about it, and then take a look at your vulnerability management solution. It might be expose or something else. Take a look and if it's say Apache or MySQL, go find out what platforms it runs on, what the conditions are, and then compare that to your vulnerability scan data. Figure out how to contain it and how to manage it. My name's Trey Ford with Rapid7. We'll talk to you next week.

Register For Our Summer Series

Party Crashers: How to Detect and Investigate Unwanted Guests

Learn More