Cyberattacks make headlines every week, but one particular type of threat has been challenging risk managers after the Log4j incident: zero days. What is a zero day and why is it relevant for third party risk management?
Until the vulnerability is mitigated, attackers can use it to compromise data or additional systems, including operating systems, web browsers, office applications, open-source components, hardware, firmware, or Internet of Things (IoT) devices.
The term is often used along with words like vulnerability, exploit, and attack, so it’s helpful to understand the difference:
Dealing with unpredictable zero day vulnerabilities is one of the greatest challenges faced by today’s security teams. They can either affect the organization directly or indirectly, through its third party vendors with access to the network.
Log4j is the most recent reminder of the impact zero day vulnerabilities can have in entire supply chains, after it was discovered that the vulnerability could allow attackers to seize control of nearly everything from industrial control systems to web servers and consumer electronics. Until the patch was released, every organization and vendor using the open source Apache logging library Log4j was vulnerable.
As part of your due diligence and ongoing reassessment processes, you need to make sure that your vendors are enforcing standards that keep your business safe. Should a zero day vulnerability appear, you need to be able to promptly:
All of these actions need to be conducted with a centralized, standardized third party risk management process, as opposed to chasing vendors via email and using spreadsheets to assess their security level.
Software is written by humans, and humans are fallible. Developers create software every day, but unbeknownst to them, it may contain vulnerabilities. This makes zero day attacks inevitable, as attackers often spot those vulnerabilities before the developers detect and act on them.
So how can you minimize risk in your organization and across your vendor supply chain?
Zero day protection measures include:
Building a vendor risk management program, or scaling one to be more effective? Read this before you get started.
It compiles the five biggest tips for scaling your program, from mapping to continuous monitoring and analysis, that will save your organization time and resources.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|