Zero-day attacks are scary for security and relatively easy for hackers because flaws are being reused. And the root of the problem is time and money.
A team within Google does nothing but look for zero-day vulnerabilities, which is good, if controversial. What is disturbing is that when a zero-day flaw is found and the information shared, software engineers were too blinkered when they patched it. They did not take a wide view of the code but fixed the specific line that was compromised.
This means it is relatively easy to alter the attack code slightly – and use it again.
Zero-day attacks, named that because of the number of days before the flaw is spotted, are being reused because of a fundamental problem for the security sector.
A lack of time, money and resources.
For a CEO, there is always an equation involved. Does he or she invest in security to stop unlikely zero-day attacks or does it make more sense to invest in new sales channels in the hope that the extra sales will more than compensate for any loss of income?
Now, though, the pandemic is changing these priorities. Hackers are having a field day, not just through zero-day attacks but across the whole ghastly gamut of malware, phishing and the rest.
The Google Team is not there simply to criticise others. It found a zero-day flaw in Internet Explorer after it had stopped developing the browser. This highlights that it is not just current products that are vulnerable. In the case of Explorer, the fact that it was so widely used, even after investment had stopped meant its reach was too attractive to ignore.
Success in security is about collaboration, and the Google Team has been working with Apple, for example, on flaws that they discovered in the iPhone. The good news is that Apple was prepared to make the time and money available, not just patch things up but to conduct a fundamental review of the app in question and how it interacted with the rest of the machine. The company then invested money in altering iOS itself.
Zero-day attacks are one of the most visible and potentially destructive attack vectors. The IoT is particularly vulnerable to them because makers of IoT devices do not have security at the forefront of their minds.
Sharing information is the only solution to the widening set of attack vectors, and the downfall of EMOTET is a great example of what can be achieved through collaboration. If we encourage that, at least, we stand a better chance of keeping up with hackers.