Tenable declares there are far worse security threats to fear than zero-day exploits

‘If you’re scared of zero-days, you don’t know what you’re talking about’ claims Tenable

Zero-day exploit

There's "a lot of bulls**t when it comes to cyber security" Gavin Millard, VP intelligence at Tenable, claimed at the company's Edge event, but chief among all of it is the unjustified fear of zero-day exploits.

There's a lot of focus on the potential catastrophe that can arise with a zero-day exploit inside a business' systems, and in the case of WannaCry, entire countries. However, Millard noted that "in reality, it's the same stuff that's being leveraged all the time". This is evidenced by the top four vulnerabilities being targeted by attackers right now.

According to Oliver Rochford, director of research at Tenable, three of the most targeted vulnerabilities are in Adobe Flash - a technology most browsers have abandoned - and the last is in Internet Explorer, a browser which is due to go end-of-life next year and no longer ships as the default browser on Windows machines.

It's these unexceptional vulnerabilities that security teams need to be stressing over, not the "sexy" zero-days, as Millard put it.

Exemplifying this, the researchers discovered that attackers would have a working exploit a week before the defenders could even detect it in a scan. This was the case in 50 of the most critical vulnerabilities that featured in a recent Tenable study. "This just shows you that this focus on zero-days is kind of pointless," Rochford added.

In fact, it's the "three-month-days" that can be the most damaging, according to Millard. WannaCry is a good example of this as it exploited vulnerabilities that were disclosed and patched, supposedly, months before the attack took place.

The same goes for NotPetya, both attacks can be traced back to one vulnerability (MS17-010) and in neither case was it a zero-day. This vulnerability was allegedly first discovered by the NSA but then was stolen by The Shadow Brokers (TSB), Millard said.

It's also alleged that the NSA tipped off Microsoft after it realised it had lost the exploits to TSB, allowing Microsoft to create a patch for it. Said patch was released on 14 March 2017, TSB disclosed the vulnerability a month later and then WannaCry hit on 12 May 2017, three months after Microsoft patched the issue.

Millard said the vulnerabilities were patched and organisations had tools that allowed them to identify the systems still open to attack, so nothing should have gone wrong, but it did.

The story of this vulnerability not only highlights how zero-days aren't the threats to be worried about but also emphasises the importance of effective patch management.

Malware is a careful craft

Away from the criticisms of security teams' beliefs, Rochford said that it doesn't matter how a vulnerability is exploited, it's going to happen; there's very little we can do stop it and cyber crime in general.

This is due to how lucrative the field is and the investment it would take to dwarf the revenue created by cyber crime. Citing statistics from Gartner, Rochford said cyber crime revenue is more than ten times the amount spent on cyber security, so the defenders must work smarter in order to keep up with the wealthy criminals.

The revenue generated by cyber crime is estimated at $1.5 trillion (1.17 trillion) while the amount spent to defend against the black hats is just $136 billion (105.7 billion). It's easy to see how lucrative the field is when you understand that even if just 0.05% of ransomware victims pay the criminals, their ROI soars to greater than 500%.

But it's not just enough to launch ransomware campaigns and expect massive payouts, it's important to create a campaign that's effective, but quiet enough to avoid too much attention. "There's a sweet spot in monetising it without wanting to be too public so that you can really sustain it," said Rochford.

Cyber crime is all about monetisation now, gone are the days where in the early 1990s people would just break into networks for fun. Millard mentioned Fluffy Bunny, a hacker in the late 90s who used to "pop really famous websites... and it was basically graffiti - there was no monetisation".

There's serious money to be made now. It's a trillion-dollar industry that isn't slowing down and cyber security teams are just playing catch up.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

What is shoulder surfing?
Security

What is shoulder surfing?

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
Microsoft releases two emergency Windows patches
Security

Microsoft releases two emergency Windows patches

19 Oct 2020
Weekly threat roundup: Windows 10, Adobe, and SonicWall VPNs
Security

Weekly threat roundup: Windows 10, Adobe, and SonicWall VPNs

16 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020