The term “zero-day” is quite common in the world of cybersecurity. In recent months, the biggest tech companies, from Microsoft and Google to Apple, have had to fix zero-day bugs, but what does that mean? Here we tell you how they work and how to protect yourself.
Why is it called day zero?
The term “zero-day” refers to a vulnerability that exists in the wild without the knowledge of the software manufacturer, making it vulnerable to attack. Once they find the problem, they have “no day” to fix it because they are already at risk. There are three main ways to think about a zero day, as security software company Kaspersky notes:
Zero Day Vulnerability: A software weakness that can be exploited and is discovered by attackers before the manufacturer knows about it.
Zero Day Exploit: method used by an attacker to gain access to the system using this zero-day vulnerability.
zero day attack: When bad actors use a zero-day exploit to break into a system to steal data or cause damage.
So, vulnerability is the weakness, exploit is the method bad actors use to get in, and attack is when those bad actors use that vulnerability to cause damage. The terms are sometimes used interchangeably, but they are not quite the same.
How Do Zero Day Attacks Work?
Even with software developers and manufacturers who diligently check their product for flaws, mistakes do happen and bad actors are dedicated to finding weaknesses or loopholes that they can exploit for their own gain.
Once a cyber attacker finds this vulnerability, they can write a segment of code to take advantage of it. What this code is and does will depend on the type of vulnerability they have discovered. Sometimes attackers can gain access to the system simply by using a zero-day exploit. If they can’t, they’ll try to trick someone into letting them in.
Cyber attackers often do this through social engineering – techniques that play on human psychology to trick them into letting their guard down. Phishing scams that send threatening messages to scare people into taking action are a textbook case of social engineering. A fake email that appears to have been sent by your bank, for example, states that your account has been hacked and asks you to “click here to verify your account details”. Social engineering is used in just about any type of cyberattack, from malware scams to USB attacks, because it works often enough to be useful.
A zero-day vulnerability can exist in the wild for months before being detected. Meanwhile, attackers can get away with stealing or copying data and damaging sensitive systems until the software maker implements a fix.
Malicious hackers often sell information about zero-day vulnerabilities on the dark web for large sums of money. As long as the only people aware of these exploits are attackers, they remain a threat.
Zero-day attacks can disrupt more than email passwords or even bank details. The targets range from passwords and personal information to vulnerabilities in devices connected to the Internet of Things.
How are zero-day attacks discovered?
The good news is that it’s not just malicious hackers looking for these weak spots. Software and technology companies often employ white hat or gray hat hackers to test their systems against attacks and uncover vulnerabilities before their products hit the market.
Once discovered, these vulnerabilities are posted on public forums that industry players know to check. Some third-party vendors also make it a point to collect and share vulnerabilities. Cisco’s cloud intelligence arm, called Talos Intelligence, is one such company that lists user-reported vulnerabilities, including zero-day vulnerabilities, on its website. Computer training YouTube channel CBT Nuggets explains this in more detail in one of their videos.
Tech companies also pay “bounties” to independent hackers or researchers who discover vulnerabilities in their products. These programs trick skilled hackers into constantly testing a system or software and then reporting the results to the developer.
Zero-day threats are difficult to detect because information about them is only made public after they are detected, and they are often not detected until after an attack. This evidence can be missing data, bugs in the system, algorithms behaving incorrectly, or missing encryption.
Recommended by our editors
Evidence of zero-day attacks can also come in the form of unexpected traffic or analytics activity. If a system has been compromised and is secretly sending data back to the source of the attack, for example, you might see higher than normal traffic on the server.
Often, a mixture of existing malware databases, system observation for strange behavior, and machine learning is used to detect new zero-day threats, Kaspersky notes. Information about past malware behavior and past system interactions are used to determine if something is suspicious and should be flagged for investigation. AI, in particular, can analyze large amounts of data, giving it a solid frame of reference to use against new threats.
How can you protect yourself against zero-day attacks?
The nature of zero-day attacks makes them difficult to avoid, but some defense is possible. For starters, keep all your systems and software up to date. In 2017, the WannaCry ransomware attacks were generated from a stolen list of vulnerabilities in Microsoft systems, many of which could have been protected by downloading a free update patch. So, as tempting as it may seem, don’t keep clicking “remind me later”.
Only downloading apps that you know are needed and will actually use will also help protect you. The more applications you have, the more access to your system is accessible to an attacker.
Antivirus and anti-malware software are a plus. They usually rely on past threat data, but are often updated. Good software can still protect against many threats, so set these programs to automatically run regular scans of your entire system so you don’t forget to use them. For an extra layer of security, a firewall is an option, although it might be overkill these days.
Finally, inform yourself and/or the members of your organization. Everyone can bear practicing better digital hygiene online, and the more people know about the common social engineering tactics used by attackers, the less successful they will be.
Do you like what you read ?
Sign up for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.