A zero-day vulnerability is an undiscovered security flaw in a system, device, or application that attackers discover before the vendor does. The term “zero-day” refers to the fact that there is no defense (patch) for it yet, which means the vendor had “zero days” to prepare. 

Forms/types of Zero-Day Vulnerabilities

• A zero-day vulnerability is a potential chink in your armor that exists until it’s patched or repaired. The time it takes to develop, test, and deploy the patch leaves the company vulnerable to attack. 
• A zero-day exploit is a cyber attack that targets the software vulnerability before it can be addressed. 
• A zero-day attack occurs when hackers and malicious actors use the exploit to target a vulnerable system to steal confidential information or damage operations. 

Zero-day attacks usually follow a simple pattern: 

1. First, a hacker uncovers the vulnerability. This can happen in a number of ways – e.g., scanning the company’s system for weaknesses, using malware probes, or even buying a ready-made exploit on the Dark Web. 
2. Next, the hacker writes code that targets that vulnerability and enables them to do what they want, e.g., stealing data or taking over the system. 
3. Finally, they launch their attack, wreaking havoc on the system before the vendor or the antivirus company can take action to fix the problem. 

These attacks are extremely dangerous because: 

• They’re unexpected: Because no one knows about the vulnerability, there’s no defense against it. Antivirus software and security patches are useless if they don’t know what to look for.
• They’re effective: Since there’s no patch, the exploit works every time, giving the hacker complete control.
• They’re often used by sophisticated attackers: Zero-day exploits are expensive and difficult to acquire, so they’re usually used by nation-states, advanced cybercrime groups, or well-funded individuals.ƒ

Think of your computer system as a medieval castle. You have high walls, a moat, and an army of knights protecting it – your antivirus software and other security tools. Now imagine that there is a secret tunnel under the castle that no one knows about. If an enemy finds out about it, they can storm the castle before you can seal it off. The attacks slip past, undetected, bypassing your defenses. Because your army doesn’t know it exists, they can’t respond to it. The attacker has the advantage. 

Just like in the castle analogy, the key challenge in dealing with zero-day attacks is discovering and fortifying against threats that are still unknown to the system’s protectors.

Why should businesses care about zero-day vulnerability?

Unpatched software vulnerabilities can lead to potentially devastating attacks on small and medium-sized businesses. Eighty-three zero-day exploits were reported in 2021 – up more than double from the year before. The increase in cloud-based services and software solutions, as well as the BYOD trend, have likely led to the rise. Unknown vulnerabilities are not the only problem. 

According to a Ponemon Institute survey, 60% of cyberattack victims were compromised due to unpatched vulnerabilities. Even known vulnerabilities as old as 2017 are still being exploited in attacks. This is because, unlike large organizations that have dedicated cybersecurity teams at their disposal, small businesses often have limited resources and expertise to address known and unknown vulnerabilities. Implementing least-privilege and zero-trust policies becomes crucial for these companies as strategies to limit potential damage by limiting user access and requiring verification. 

Zero-day vulnerabilities often appear in the context of multiple cybersecurity frameworks and concepts, including the zero-trust maturity model. 

The Zero Trust Maturity Model (ZTMM) is a framework developed by the Cybersecurity and Infrastructure Security Agency (CISA) to help organizations assess and advance their implementation of a zero-trust security architecture. It essentially provides a roadmap for transitioning from a traditional trust-based approach to a continuous “never trust, always verify” security posture.

Zero-day vulnerabilities can bypass traditional perimeter-based security. Even with least privilege access control, a zero-day exploit could grant attackers elevated privileges within the system.

The zero-trust security model assumes all access requests are potentially malicious and verifies every request based on various factors like user identity, device, context, and authorization level. It aims to minimize the damage of a breach should it occur and restrict access to what’s necessary.

Of course, zero trust alone isn’t enough to stop potential exploits. Employing multiple layers of security, including zero-trust principles, network segmentation, endpoint security, and intrusion detection, is necessary to slow down attackers and limit the damage they can cause.

Related Systems or Technologies

Zero-day vulnerabilities, by their very nature, pose a significant challenge to any security system. These unknown flaws, exploited before developers or security researchers discover them, leave no existing patches or countermeasures, making any system using affected software highly vulnerable.

You can manage and prevent the risks associated with zero-day vulnerabilities through: 

Layered Security: Employing multiple layers of security, including network segmentation, endpoint security, intrusion detection, and zero-trust principles, can slow down attackers and limit the damage they can cause.

Proactive Threat Intelligence: Continuously monitoring for emerging threats and zero-day vulnerabilities through threat intelligence feeds can help prepare for potential attacks and implement proactive defense measures. 

Rapid Patching: Having rapid patching processes in place can help minimize the window of vulnerability once a zero-day is discovered. 

Endpoint Detection and Response (EDR): These tools continuously monitor endpoints (e.g., desktop computers or phones) for suspicious activity and can help detect and contain zero-day attacks before they spread. 

Network Detection and Response (NDR): Similar to EDR, NDR monitors network traffic for malicious activity and can help identify and block zero-day attacks targeting your network infrastructure. 

Sandboxing: Running suspicious applications or code in sandboxed environments can contain potential exploits and prevent them from impacting the broader system. 

Incident Response Planning: Having a well-defined incident response plan in place can help organizations quickly and effectively respond to zero-day attacks and minimize the damage they can cause. 

Managing and preventing zero-day vulnerabilities is an ongoing process. By implementing a holistic approach, even small organizations can significantly improve their security posture and reduce the risk of successful zero-day attacks.

Related Regulations or Compliance Goals

There isn’t a regulation that explicitly mentions “zero-day vulnerabilities,” but existing regulations can still be interpreted to require companies to take reasonable steps to mitigate risks associated with them, including: 

General Regulations

Federal Information Security Modernization Act (FISMA)

FISMA is specifically focused on securing federal government information systems. It requires agencies to implement a continuous vulnerability management program, including timely patching of critical vulnerabilities (which could include zero-day). Additionally, incident response plans need to address potential zero-day threats targeting government systems. While it doesn’t reference zero-day, it places a lot of emphasis on continuous monitoring and mitigation of vulnerabilities, implying consideration of zero-day threats.

Critical Infrastructure Security Agency (CISA) Cybersecurity Framework

CISA is a voluntary framework for enhancing critical infrastructure security. It provides guidance on vulnerability management, incident response, and risk management, all of which are pertinent to addressing zero-day threats. While not legally binding, CISA encourages critical infrastructure operators to adopt the framework, suggesting an implicit consideration of zero-day vulnerabilities. CISA doesn’t mention zero-day vulnerability but emphasizes the need to adopt proactive and adaptive security measures that take emerging threats like zero-day exploits into consideration. 

PCI DSS (Payment Card Industry Data Security Standard)

PCI focuses on protecting credit card data. It requires regular vulnerability scanning and patching, including critical vulnerabilities (which potentially include zero-day). Incident response plans should address the possibility of zero-day exploits targeting payment systems. Again, PCI doesn’t make explicit references to zero-day, but it emphasizes timely patching and incident response, which are strategies related to the mitigation of zero-day exploits. 

Sector-specific regulations

• Healthcare: HIPAA mandates the protection of sensitive healthcare data and indirectly touches upon vulnerability management and incident response, which would apply to zero-day vulnerabilities targeting healthcare systems.
• Finance: The Gramm-Leach-Bliley Act (GLBA) and related regulations mandate financial institutions to safeguard customer financial information. Similar to HIPAA, this involves vulnerability management and incident response procedures relevant to handling zero-day attacks that could target financial systems.

Executive Orders

• Executive Order on Enhancing American Defense Industries and Technologies: This order aims to strengthen the cybersecurity of the defense industrial base. It requires defense contractors to implement secure software development practices and vulnerability management programs, encompassing potential zero-day vulnerabilities in their systems.
• Executive Order on Improving the Nation’s Cybersecurity: This order establishes a national cybersecurity strategy and emphasizes proactive risk management, vulnerability management, and incident response practices. While not explicitly mentioning zero-day vulnerabilities, it reinforces the need for robust security measures that can handle evolving threats like zero-day exploits.