Tenable declares there are far worse security threats to fear than zero-day exploits

‘If you’re scared of zero-days, you don’t know what you’re talking about’ claims Tenable

Zero-day exploit

There's "a lot of bulls**t when it comes to cyber security" Gavin Millard, VP intelligence at Tenable, claimed at the company's Edge event, but chief among all of it is the unjustified fear of zero-day exploits.

There's a lot of focus on the potential catastrophe that can arise with a zero-day exploit inside a business' systems, and in the case of WannaCry, entire countries. However, Millard noted that "in reality, it's the same stuff that's being leveraged all the time". This is evidenced by the top four vulnerabilities being targeted by attackers right now.

Advertisement - Article continues below

According to Oliver Rochford, director of research at Tenable, three of the most targeted vulnerabilities are in Adobe Flash - a technology most browsers have abandoned - and the last is in Internet Explorer, a browser which is due to go end-of-life next year and no longer ships as the default browser on Windows machines.

It's these unexceptional vulnerabilities that security teams need to be stressing over, not the "sexy" zero-days, as Millard put it.

Exemplifying this, the researchers discovered that attackers would have a working exploit a week before the defenders could even detect it in a scan. This was the case in 50 of the most critical vulnerabilities that featured in a recent Tenable study. "This just shows you that this focus on zero-days is kind of pointless," Rochford added.

Advertisement - Article continues below

In fact, it's the "three-month-days" that can be the most damaging, according to Millard. WannaCry is a good example of this as it exploited vulnerabilities that were disclosed and patched, supposedly, months before the attack took place.

Advertisement - Article continues below

The same goes for NotPetya, both attacks can be traced back to one vulnerability (MS17-010) and in neither case was it a zero-day. This vulnerability was allegedly first discovered by the NSA but then was stolen by The Shadow Brokers (TSB), Millard said.

It's also alleged that the NSA tipped off Microsoft after it realised it had lost the exploits to TSB, allowing Microsoft to create a patch for it. Said patch was released on 14 March 2017, TSB disclosed the vulnerability a month later and then WannaCry hit on 12 May 2017, three months after Microsoft patched the issue.

Millard said the vulnerabilities were patched and organisations had tools that allowed them to identify the systems still open to attack, so nothing should have gone wrong, but it did.

The story of this vulnerability not only highlights how zero-days aren't the threats to be worried about but also emphasises the importance of effective patch management.

Malware is a careful craft

Away from the criticisms of security teams' beliefs, Rochford said that it doesn't matter how a vulnerability is exploited, it's going to happen; there's very little we can do stop it and cyber crime in general.

Advertisement - Article continues below

This is due to how lucrative the field is and the investment it would take to dwarf the revenue created by cyber crime. Citing statistics from Gartner, Rochford said cyber crime revenue is more than ten times the amount spent on cyber security, so the defenders must work smarter in order to keep up with the wealthy criminals.

The revenue generated by cyber crime is estimated at $1.5 trillion (1.17 trillion) while the amount spent to defend against the black hats is just $136 billion (105.7 billion). It's easy to see how lucrative the field is when you understand that even if just 0.05% of ransomware victims pay the criminals, their ROI soars to greater than 500%.

But it's not just enough to launch ransomware campaigns and expect massive payouts, it's important to create a campaign that's effective, but quiet enough to avoid too much attention. "There's a sweet spot in monetising it without wanting to be too public so that you can really sustain it," said Rochford.

Advertisement - Article continues below

Cyber crime is all about monetisation now, gone are the days where in the early 1990s people would just break into networks for fun. Millard mentioned Fluffy Bunny, a hacker in the late 90s who used to "pop really famous websites... and it was basically graffiti - there was no monetisation".

There's serious money to be made now. It's a trillion-dollar industry that isn't slowing down and cyber security teams are just playing catch up.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020

Scammers leverage contact-tracing in hacking attempt

27 May 2020

GitLab phished its employees and 20% handed over credentials

26 May 2020
cyber security

Governments urged to work together to stop health care cyber attacks

26 May 2020

Most Popular

Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020