Tenable declares there are far worse security threats to fear than zero-day exploits

‘If you’re scared of zero-days, you don’t know what you’re talking about’ claims Tenable

Zero-day exploit

There's "a lot of bulls**t when it comes to cyber security" Gavin Millard, VP intelligence at Tenable, claimed at the company's Edge event, but chief among all of it is the unjustified fear of zero-day exploits.

There's a lot of focus on the potential catastrophe that can arise with a zero-day exploit inside a business' systems, and in the case of WannaCry, entire countries. However, Millard noted that "in reality, it's the same stuff that's being leveraged all the time". This is evidenced by the top four vulnerabilities being targeted by attackers right now.

According to Oliver Rochford, director of research at Tenable, three of the most targeted vulnerabilities are in Adobe Flash - a technology most browsers have abandoned - and the last is in Internet Explorer, a browser which is due to go end-of-life next year and no longer ships as the default browser on Windows machines.

It's these unexceptional vulnerabilities that security teams need to be stressing over, not the "sexy" zero-days, as Millard put it.

Exemplifying this, the researchers discovered that attackers would have a working exploit a week before the defenders could even detect it in a scan. This was the case in 50 of the most critical vulnerabilities that featured in a recent Tenable study. "This just shows you that this focus on zero-days is kind of pointless," Rochford added.

In fact, it's the "three-month-days" that can be the most damaging, according to Millard. WannaCry is a good example of this as it exploited vulnerabilities that were disclosed and patched, supposedly, months before the attack took place.

The same goes for NotPetya, both attacks can be traced back to one vulnerability (MS17-010) and in neither case was it a zero-day. This vulnerability was allegedly first discovered by the NSA but then was stolen by The Shadow Brokers (TSB), Millard said.

It's also alleged that the NSA tipped off Microsoft after it realised it had lost the exploits to TSB, allowing Microsoft to create a patch for it. Said patch was released on 14 March 2017, TSB disclosed the vulnerability a month later and then WannaCry hit on 12 May 2017, three months after Microsoft patched the issue.

Millard said the vulnerabilities were patched and organisations had tools that allowed them to identify the systems still open to attack, so nothing should have gone wrong, but it did.

The story of this vulnerability not only highlights how zero-days aren't the threats to be worried about but also emphasises the importance of effective patch management.

Malware is a careful craft

Away from the criticisms of security teams' beliefs, Rochford said that it doesn't matter how a vulnerability is exploited, it's going to happen; there's very little we can do stop it and cyber crime in general.

This is due to how lucrative the field is and the investment it would take to dwarf the revenue created by cyber crime. Citing statistics from Gartner, Rochford said cyber crime revenue is more than ten times the amount spent on cyber security, so the defenders must work smarter in order to keep up with the wealthy criminals.

The revenue generated by cyber crime is estimated at $1.5 trillion (1.17 trillion) while the amount spent to defend against the black hats is just $136 billion (105.7 billion). It's easy to see how lucrative the field is when you understand that even if just 0.05% of ransomware victims pay the criminals, their ROI soars to greater than 500%.

But it's not just enough to launch ransomware campaigns and expect massive payouts, it's important to create a campaign that's effective, but quiet enough to avoid too much attention. "There's a sweet spot in monetising it without wanting to be too public so that you can really sustain it," said Rochford.

Cyber crime is all about monetisation now, gone are the days where in the early 1990s people would just break into networks for fun. Millard mentioned Fluffy Bunny, a hacker in the late 90s who used to "pop really famous websites... and it was basically graffiti - there was no monetisation".

There's serious money to be made now. It's a trillion-dollar industry that isn't slowing down and cyber security teams are just playing catch up.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Roadmap 2021: What’s coming from 3CX
Advertisement Feature

Roadmap 2021: What’s coming from 3CX

30 Mar 2021