Cyberattacks make headlines every week, but one particular type of threat has been challenging cybersecurity leaders after the Log4j and SolarWinds incidents: zero days. What is a zero day vulnerability and why is it relevant for third-party risk management?
A zero day (also referred to as 0-day) is a software vulnerability either unknown to its developer, or known and without a patch to fix it. The name comes from the fact that the vendor has “zero days” to fix before it is actively exploited.
Until the vulnerability is mitigated, attackers can use it to compromise data or additional systems, including operating systems, web browsers, office applications, open-source components, hardware, firmware, or Internet of Things (IoT) devices.
The term is often used along with words like vulnerability, exploit, and attack, so it’s helpful to understand the difference:
- A zero day vulnerability is a software flaw that attackers discover before the vendor does. Because no patch exists yet, attacks exploiting it are likely to succeed.
- A zero day exploit is the code that allows attackers to leverage the vulnerable piece of software to compromise systems; exploits are usually sold on the dark web.
- A zero day attack is the use of a zero day exploit to disrupt, cause damage to, or steal data from a vulnerable system.
Why are zero days relevant to third-party risk management?
Dealing with unpredictable zero day vulnerabilities is one of the greatest challenges faced by today’s security teams. They can either affect the organization directly or indirectly, through its third-party vendors with access to the network.
Log4j is a recent reminder of the impact zero day vulnerabilities can have in entire supply chains, after it was discovered that the vulnerability could allow attackers to seize control of nearly everything from industrial control systems to web servers and consumer electronics. Until the patch was released, every organization and vendor using the open source Apache logging library Log4j was vulnerable.
This is why vendor risk assessments and continuous monitoring of your vendors' security performance are the pillars of a third-party risk management program (TPRM).
As part of your vendor due diligence and ongoing reassessment processes, you need to make sure that your vendors are enforcing standards that keep your business safe. Should a zero day vulnerability appear, you need to be able to promptly:
- Identify vulnerable third-party vendors in your supply chain
- Ask them how they are planning to react and mitigate the vulnerability
- Update your requirements and request additional assurances
All of these actions need to be conducted with a centralized, standardized third-party risk management process, as opposed to chasing vendors via email and using spreadsheets to assess their security level. How can you respond confidently to major security events if you need to reach out to each and every one of your vendors manually?
How to protect your organization against zero day attacks
Software is written by humans, and humans are fallible. Developers create software every day, but unbeknownst to them, it may contain vulnerabilities. This makes zero day attacks inevitable, as attackers often spot those vulnerabilities before the developers detect and act on them.
So how can you minimize risk in your organization and across your digital supply chain?
Basic zero day protection measures include:
- Keeping all software and operating systems up to date, installing patches as soon as they become available. Security patches often cover newly identified vulnerabilities, and poor patching cadence has been proven to correlate with risk.
- Enforcing security standards as part of your vendor risk assessments and due diligence process, and updating your requirements as needed after a zero day is discovered.
- Performing continuous monitoring and reassessment of your vendors as opposed to point-in-time calendar evaluations.
- Using a layered defense strategy, combining antivirus, firewall, and other security solutions, with security mechanisms like zero trust or MFA.
- Educating users on cybersecurity best practices, especially amid flexible work arrangements, as many zero day attacks capitalize on human error.
A key to reducing vulnerability exposure in your network is gaining a full view of your attack surface. Bitsight for Security Performance Management offers key External Attack Surface Management (EASM) capabilities that allow you to proactively harden and rapidly respond to new, high risk security issues. The tool looks from the outside to automatically discover, classify, prioritize, and inspect assets associated with your organization, ensuring that outstanding security and configuration issues are remediated, and that your traditional vulnerability management tool has the necessary asset discovery.
In addition, managing vendor exposure to zero day vulnerabilities quickly, effectively, and at scale is crucial to protect your network. When a major security event hits the news, how do you know which of your vendors is affected? How are they potentially exposing your organization?
With Bitsight’s Vulnerability Detection & Response capabilities, included in our Bitsight for Third-Party Risk Management solution, you can gain insights on vulnerability data and take action on high priority incidents impacting your vendors at a moments notice, while surfacing critical information to board and executive level stakeholders to provide assurance.
With Bitsight Vulnerability Response you can:
- Detect, manage, and mitigate emerging zero day vulnerabilities in your vendor ecosystem with speed
- Remediate risk more quickly and effectively with better prioritization of critical vendor response
- Initiate and track vendor outreach at scale through built-in questionnaire capabilities
- Confidently adhere to growing regulatory pressure with easy access to critical vulnerability data
Contact Bitsight today to adopt the right tools to protect your organization.