Time and again, zero-day exploits are the cause of massive data leaks. Protecting against them is a particular challenge in IT security. Learn here what zero-day exploits are, what makes them so dangerous, and what organizations can do to minimize the risk of a zero-day exploit.
What is a zero-day exploit?
Among the numerous IT threats organizations face today, so-called zero days or 0-days (pronounced “oh-day”) are among the most dangerous. This has to do with the fact that it is practically impossible to completely secure against zero days. Zero days are previously unknown vulnerabilities in a software or network environment that can be used by hackers as a starting point for cyberattacks. If such an attack takes place, it is referred to as a zero-day exploit. The attacks often begin via web browsers or e-mails with attached malware.
WatchGuard’s latest Internet Security Report shows that around two-thirds of all malware attacks are zero-day exploits. According to Google, the number of detected zero days in 2021 has doubled compared to the previous year.
Criminal hackers are constantly on the lookout for previously undiscovered vulnerabilities to breach organizations’ digital defenses. Zero-day gaps are particularly likely to lead to success, because no matter how much a company invests in its IT security: Zero days exist in virtually all software as a residual risk, regardless of their development stage. The crucial question is when they are found – and by whom.
In many cases, zero-day exploits remain undetected for a long period of time. If a zero-day exploit is registered, a race against time begins for developers, because the longer the vulnerability exists, the higher the potential damage. This context also gives rise to the term zero day: developers had zero days to work on a fix for the vulnerability at the time of the cyberattack.
Responsible Disclosure: How the DGC deals with zero-day gaps
The DGC is constantly on the lookout for zero days and repeatedly comes across previously unknown security vulnerabilities in software products and network environments. As part of a responsible disclosure policy, it supports the manufacturers of the affected software in fixing newly discovered vulnerabilities as quickly as possible.
The disclosure of IT security vulnerabilities found is based on coordinated guidelines from the national Computer Emergency Response Team (CERT). The aim of this procedure is to reconcile the interests of both the manufacturer and the user as far as possible. For the former, the main concern is to avoid damage to their image as a result of a data leak, while for the latter it is the security of their IT infrastructure.
The software manufacturer will be notified of the vulnerability by the DGC and has 28 days to fix it. The DGC then publishes details of the vulnerability on its website to give affected users the opportunity to protect themselves against a possible cyberattack at their own discretion. Ideally, a security update from the developer will already be available at this time.
An alternative approach to Responsible Disclosure is Full Disclosure. Here, information about security vulnerabilities is published immediately. The resulting pressure on the software manufacturer is intended to lead to faster elimination of the vulnerability. However, the DGC focuses exclusively on the approach presented first.
Basically, both cases are about transparency: Anyone affected by a zero-day exploit must learn about it as soon as possible in order to be able to respond to the threat.
Massive data leak at Buchbinder uncovered with cyberscan.io®.
In German-speaking countries, too, zero days repeatedly lead to massive data leaks. The car rental company Buchbinder (Car Partner Nord GmbH) was hit particularly hard. At the end of 2019, DGC came across three million data records on Buchbinder customers with the help of its in-house vulnerability scanner cyberscan.io®. These could be accessed completely unencrypted via a conventional web browser. The personal data records contained name, address, telephone number, payment information, driver’s license number, pick-up and drop-off location of the rental car, accident reports (including blood alcohol tests), and any violations of the StVO by the drivers.
In accordance with its Responsible Disclosure Policy, the DGC immediately alerted Buchbinder to the zero-day exploit. After the company failed to respond for over a month despite multiple attempts to contact it, the DGC informed the Bavarian data protection authority. Just under a month later, the security hole was closed. Media reports and a public statement from Buchbinder followed.
Protective measures against a zero-day exploit
Conventional security tools are powerless against zero-day exploits. Since complete protection is hardly possible, the primary concern is risk minimization. In principle, any software used is a risk factor: Accordingly, it makes sense to use only software solutions that are actually needed and to keep the software landscape as manageable as possible.
For any kind of IT security concept, it is indispensable to consistently provide the entire infrastructure with current security updates, patches and fixes. Negligence can have devastating consequences. In most cases, software vendors are able to provide timely patches for discovered zero days. If a company learns of a zero day in a piece of software it is using, it must take care of rolling out the corresponding fix on its own.
The consistent use of encryption and graded authorizations further increases the security level. It also makes sense to put an intrusion detection or intrusion prevention system (IDS, IPS) in place. This helps to detect suspicious patterns in data traffic and ideally nip attacks in the bud.
Last but not least, companies should also develop a disaster recovery plan that defines the procedure and responsibilities in the event of a cyberattack. A fast and effective response not only serves to limit damage. It may also be required by law under the GDPR.
Conclusion: Risk minimization through comprehensive safety concept
Zero-day exploits are a threat that appears out of nowhere. Nevertheless, organizations are not completely defenseless against this risk. The key is to be aware of the threat, to minimize risk factors at the technological and organizational level, and to be able to react quickly in the event of an emergency.
The IT experts at the DGC will be happy to advise you on all issues relating to zero-day exploits and your company’s IT security. Please contact us.