We can’t take this analogy too far, but do you remember the historic 1980 “no mas” fight between Sugar Ray Leonard and Roberto Durán? If you haven’t watched it, you can see it on YouTube. In this particular clip, watch what Sugar Ray does at the 1:04 mark. He winds up his right hand in gigantic, dramatic circles. Durán is momentarily mesmerized, then Leonard sneaks and connects with a powerful left-hand jab.
There are days that this historic punch reminds me of cyber security.
Each year, we are inundated with dramatic messages. If you look at tech media mentions of zero-day exploits in tech media search tool TechNews.io, you’ll see 16,000 mentions of “zero-day exploits” in 2017 and 2018. (We’re already at 6,000 for 2019 as of mid-May).
Yet the number of zero day exploits is much smaller than the number of mentions. According to Flexera’s Secunia Research, zero days aren’t so common out there. A little more than one dozen exploits a year drive these tens of thousands of media articles. Our research shows 13 zero days exploits in 2019, 16 in 2018 and 14 in 2017.
Zero days are important to keep an eye on because exploitation is already happening. In reality, most exploitations of vulnerabilities happen right after a vulnerability is published by the vendors. We tend to react to zero days for obvious reasons but also need to keep in mind that many exploits in other, less popular software receive less attention.
What you’re watching is important. Do you have the visibility of the affected assets? Do you confidently know where they are and which ones need a patch? Start with solving the problem of visibility, then do a risk assessment that can see deep and wide before you panic and react to newsmakers with fire drills.
How to avoid getting punched
Surely there are some days when being a security professional feels like Roberto Durán fighting Sugar Ray Leonard. How do we honor the danger of a massive wind-up of the right hand and also the sneaky left-hand jab coming from where you least expect it?
- Gain visibility: Do you have complete visibility into your enterprise? Do you have EOL software? How much? What’s your plan if there are exploits? We were reminded again of the reality of zero-day exploits recently with the SandboxEscaper exploits published on GitHub on Windows 10.
- Leverage resources across your organization: For example, your software asset managers have information that can help you. Ask them to review usage analysis on all apps and determine if they’re still critical to the user, project and organization. By having a criticality level in place and a taxonomy that identifies whether it is an infrastructure, enterprise or project-based app, SAM and security teams can create a process to patch or remove unnecessary and unused apps/code that pose a risk. If the app hasn’t been used, there’s an opportunity to assess its future in the org or identify whether there are SaaS-based alternatives. The same can be said for enterprise architects who always appreciate reduction in complexity.
- Prioritize: While zero-days in Microsoft products are important to patch, we recommend keeping an eye on vulnerabilities that are being exploited in the 92% of global software not published by Microsoft.
- Patch backwards: Given that most actual exploitation happens right after a vulnerability is published, reacting fast to new vulnerabilities is crucial. But please don’t lose sight of older vulnerabilities; many are still playing a catch-up game, and we know that the oldies are always the bad guys’ favorites.
Athletes know that there’s a difference between offense and defense. In boxing, as in security, you have to be good at both.