Customers Got Zero-Day Panic? Keep Calm, Keep Patching
By Chester Wisniewski
2015 was a record year for data breaches, both in terms of the number of leaked and stolen records and the amount of money the attacks cost victims. The breaches generated news headlines, with pundits repeating dire warnings over just how difficult it is to defend against sophisticated attackers who leverage zero-day threats. No wonder you probably got a few calls from customers asking, “Are we secure?”
While I don’t want to downplay the potential damage a zero-day attack can cause, I do want to remind all security industry professionals – including solutions providers, CSOs and security administrators – that zero days are a very small percentage of all attacks. I tracked incidents using zero-day exploits from October 2014 to October 2015 and discovered that more than half were used only in a targeted attack against one organization. Of the remaining four, only one was used in a widespread manner.
That means you need to keep up with the basics: updating systems with the latest patches, encrypting data and regular user education.
The most recent Verizon Data Breach Investigations Report (DBIR) confirms this. The initial DBIR in 2008 reported that the overwhelming majority of attacks exploited known vulnerabilities and that, in most of those cases, the patch had been available for months prior to the breach.
Fast forward to today, and things haven’t changed. The 2015 DBIR reveals that 99.9 percent of exploited vulnerabilities had been compromised more than a year after the associated patch was released.
To quote from the report, “Apparently, hackers really do still party like it’s 1999.”
Encryption a Must
Having made the case that you’re unlikely to be hit by a zero-day, I still recommend you help customers prepare for any attack that patching cannot stop. Applying patches quickly enough and across all devices is nearly impossible, so we must prepare for compromise.
That means encryption. Although most traffic to external sites utilizes HTTPS now, too many organizations still leave sensitive information at risk on their own networks. We surveyed 1,700 IT decision makers around the world and asked them what types of data their organizations encrypt, and why they don’t always encrypt everywhere. We found that nearly one-third (30 percent) fail to always encrypt their own corporate financial information, and 41 percent inconsistently encrypt files containing valuable intellectual property, despite the increasing risks of economic espionage.
Another red flag: Many organizations don’t recognize that the different types of encryption – full-disk and file – are not and should not be mutually exclusive. Full-disk encryption protects lost or stolen devices, but can’t protect the data once the user logs in or shares the content.
File-level encryption is often necessary and complementary so that data is always protected: at rest, in transit and when stored off-device. Yet only 36 percent of respondents said they use both full-disk and file encryption.
As more businesses migrate applications from the data center to the cloud, the risk of loss or theft increases. While 80 percent of the companies we polled are using cloud storage, only 39 percent encrypt all files they store in the cloud.
Recommendations
Sophisticated and targeted zero-day attacks like the one against Sony Pictures are devastating. Before you worry about prepping customers for a zero-day attack, make sure you’re protecting their information and systems against the vast majority of threats:
- Be stringent about making sure customers stay up-to-date on all patches.
- Ensure data is encrypted at rest and in motion across, and out of, the network.
- Schedule regular education sessions for all users on best practices, such as verifying messages are genuine before opening attachments or clicking links.
Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at [email protected].
