Tenable declares there are far worse security threats to fear than zero-day exploits

‘If you’re scared of zero-days, you don’t know what you’re talking about’ claims Tenable

Zero-day exploit

There's "a lot of bulls**t when it comes to cyber security" Gavin Millard, VP intelligence at Tenable, claimed at the company's Edge event, but chief among all of it is the unjustified fear of zero-day exploits.

There's a lot of focus on the potential catastrophe that can arise with a zero-day exploit inside a business' systems, and in the case of WannaCry, entire countries. However, Millard noted that "in reality, it's the same stuff that's being leveraged all the time". This is evidenced by the top four vulnerabilities being targeted by attackers right now.

Advertisement - Article continues below

According to Oliver Rochford, director of research at Tenable, three of the most targeted vulnerabilities are in Adobe Flash - a technology most browsers have abandoned - and the last is in Internet Explorer, a browser which is due to go end-of-life next year and no longer ships as the default browser on Windows machines.

It's these unexceptional vulnerabilities that security teams need to be stressing over, not the "sexy" zero-days, as Millard put it.

Exemplifying this, the researchers discovered that attackers would have a working exploit a week before the defenders could even detect it in a scan. This was the case in 50 of the most critical vulnerabilities that featured in a recent Tenable study. "This just shows you that this focus on zero-days is kind of pointless," Rochford added.

Advertisement
Advertisement - Article continues below

In fact, it's the "three-month-days" that can be the most damaging, according to Millard. WannaCry is a good example of this as it exploited vulnerabilities that were disclosed and patched, supposedly, months before the attack took place.

Advertisement - Article continues below

The same goes for NotPetya, both attacks can be traced back to one vulnerability (MS17-010) and in neither case was it a zero-day. This vulnerability was allegedly first discovered by the NSA but then was stolen by The Shadow Brokers (TSB), Millard said.

It's also alleged that the NSA tipped off Microsoft after it realised it had lost the exploits to TSB, allowing Microsoft to create a patch for it. Said patch was released on 14 March 2017, TSB disclosed the vulnerability a month later and then WannaCry hit on 12 May 2017, three months after Microsoft patched the issue.

Millard said the vulnerabilities were patched and organisations had tools that allowed them to identify the systems still open to attack, so nothing should have gone wrong, but it did.

The story of this vulnerability not only highlights how zero-days aren't the threats to be worried about but also emphasises the importance of effective patch management.

Malware is a careful craft

Away from the criticisms of security teams' beliefs, Rochford said that it doesn't matter how a vulnerability is exploited, it's going to happen; there's very little we can do stop it and cyber crime in general.

Advertisement - Article continues below

This is due to how lucrative the field is and the investment it would take to dwarf the revenue created by cyber crime. Citing statistics from Gartner, Rochford said cyber crime revenue is more than ten times the amount spent on cyber security, so the defenders must work smarter in order to keep up with the wealthy criminals.

The revenue generated by cyber crime is estimated at $1.5 trillion (1.17 trillion) while the amount spent to defend against the black hats is just $136 billion (105.7 billion). It's easy to see how lucrative the field is when you understand that even if just 0.05% of ransomware victims pay the criminals, their ROI soars to greater than 500%.

But it's not just enough to launch ransomware campaigns and expect massive payouts, it's important to create a campaign that's effective, but quiet enough to avoid too much attention. "There's a sweet spot in monetising it without wanting to be too public so that you can really sustain it," said Rochford.

Advertisement - Article continues below

Cyber crime is all about monetisation now, gone are the days where in the early 1990s people would just break into networks for fun. Millard mentioned Fluffy Bunny, a hacker in the late 90s who used to "pop really famous websites... and it was basically graffiti - there was no monetisation".

There's serious money to be made now. It's a trillion-dollar industry that isn't slowing down and cyber security teams are just playing catch up.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020