Are Zero-Day Exploits Overhyped?

Security experts suggest worrying about something else.

One of the big challenges of cyber security is that it’s often reactive. Hackers find new ways to crack into systems, and then security companies come up with ways to stop them. When the hackers find previously undiscovered vulnerabilities in software, these are known as zero-day exploits, and they’re often regarded as a major threat to cyber security. But according to security firm Tenable, zero-day exploits are overhyped and aren’t the real problem.

Speaking at the company’s Edge conference, Tenable’s technical director, Gavin Millard, suggested that the focus should not be on zero-day exploits but rather already established, known threats.  According to researchers at the company, the most frequently exploited vulnerabilities exist in legacy solutions such as Adobe Flash and Internet Explorer. In a large percentage of cases, attacks are successful because of lax application of patches and poor user awareness, rather than zero-day exploits.

But is it fair to suggest that zero-days are overhyped? Yes, but also no. There’s certainly a good reason for why businesses shouldn’t fret too much about them: quite simply, it’s not something they have any control over. Trying to predict what yet-to-be-discovered exploits will be like is the job of cyber security technology companies and experts, as well as the people who create the software patches to mitigate against these emerging threats.

At this level, zero-day exploits are absolutely relevant and important. After all, even the oldest of threats will have been a zero-day at some point, and the sooner they’re discovered, the better. But for users and businesses, it really doesn’t matter whether a threat has only just sprung into existence or been around since the dawn of computer time. If it hasn’t been fixed or you don’t apply the patches for it, then you’re in trouble either way.

Yet despite this relatively simple advice, Tenable’s CEO, Amit Yoran, said at the Edge event that “60% of breaches are caused by known vulnerabilities to which patches are available”. In other words, the majority of breaches are entirely avoidable and only happen because basic security ‘hygiene’ isn’t being maintained.

This reality is made all the more odd by the fact that most of the time, this maintenance costs very little, if anything at all. If businesses need help installing updates, then there may be some labour costs involved, and if they use have a subscription-based monitoring and patching service, it can all be taken care of automatically for a fee. In either case, it will be a relatively small investment, considering the risks. Of course, if hardware or software needs to be replaced completely (like when Windows Server 2008 reaches end of life), then businesses will need to dip into their budgets more to stay protected, but that’s not something that happens particularly often.

There are no guarantees when it comes to cyber security, of course, but practising good security hygiene can make a huge difference. When new exploits emerge, patches for them soon follow. By staying on top of the patch releases, whether manually or through an automated, managed service, you’ll give your business the best chance of having zero days affected by zero-days.