Hackers

Zero-Day Vulnerabilities – What They Are and How to Protect Yourself

Before discussing how you can protect yourself and your organization from Zero-Day vulnerabilities, it’s helpful to understand the term vulnerability as used in the cybersecurity industry. The National Institute of Standards and Technology, commonly referred to as NIST, defines vulnerability as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” So, anything that threat actors can exploit in your environment is considered a vulnerability, even employees. 

What is a Zero-Day Vulnerability?

Zero-Day vulnerabilities are vulnerabilities in software actively being exploited in the wild but have not yet been disclosed to the software developer, or a patch has not yet been provided to fix the issue. These vulnerabilities are usually kept secret by threat actors and sold on the Dark web for a hefty price. Depending on how much damage this exploit would cause, they can be sold for thousands and even millions of dollars. 

If, at first, Zero Day vulnerabilities are widely undiscovered, how are they initially found? That’s a great question! There are many different ways that Zero Day vulnerabilities are uncovered, but some of the more common tactics are Threat Research and Vulnerability Disclosure Programs (VDPs). Not all Zero-Day vulnerabilities are found by malicious actors. There are legitimate organizations whose sole purpose is to research threat indicators in the wild and correlate them to potential vulnerabilities in the software being exploited. After confirming or even potentially confirming that a vulnerability exists, they would then reach out to the software vendor in question and disclose this information. This is usually done by following the organization’s Vulnerability Disclosure Program (VDP). These programs are designed to encourage Threat Researchers to come forth as well as anyone else who may have information regarding vulnerabilities in a software product. Most of these programs offer a monetary reward, and just like selling on the Dark web, the amount paid is substantial. These programs aren’t always available, but more organizations are adopting this tactic to fight back against the cybercrime industry. There has even been legislation adopted to push companies toward creating their own VDP. If you ever notice a software bug that you can replicate, it’s worth reporting it. You may just end up with some money in your pocket!

Protecting Your Business From Zero-Day Vulnerabilities

Unfortunately, due to the nature of the threat, we can only mitigate the risk, not completely eliminate it. But don’t worry; implementing the proper controls, processes, and procedures can significantly reduce the risk of compromise. The first step in protecting your business from Zero-Day vulnerabilities and attacks is simple patch management. Your company’s IT provider should be on top of issuing the latest updates to all of your software. Whether it’s your line of business application(s) or your computers’ operating systems, applying the latest security patches is crucial. The process for managing these updates to your company’s software should be written down in its own policy and, if possible, automated. 

Another way to protect yourself against these threats is even easier than patch management – you need to be aware of what’s going on. Researching the latest threat trends and keeping yourself up to date about active exploits will provide you with the information needed to proactively patch your systems or isolate that specific software inside your network. I recommend subscribing to a security newsletter if you aren’t actively working in the Cybersecurity industry where threat research is a part of your job. On another note, while vulnerability scanning won’t necessarily provide you with insight on Zero-Day vulnerabilities affecting your network, it does give you a clearer picture of the threat landscape of your environment. More visibility offers you greater control, and greater control gives you better protection. 

Last but not least, start depreciating your legacy software. Any applications that are no longer supported by the vendor won’t be receiving further security updates. It is extremely risky to continue utilizing end-of-life (EOL) software inside your environment, so it’s crucial to move away from these solutions as soon as possible. If your business is dependent on a product that’s in EOL and depreciating in a timely manner is not feasible, be sure to isolate any devices that contain the software from other areas of your network. Doing this will aid in preventing either malware or threat actors from moving laterally across your network in the event of a compromise. 

Vulnerabilities can be scary, especially when Zero-Days are thrown into the mix. However, with the proper security controls, processes, and procedures, you can significantly mitigate the risk to your business. If you would like to learn more about how Kite Technology’s Managed IT and Security Services can better secure your organization, please reach out to schedule a conversation. We would welcome the opportunity to discuss your company’s IT and security needs and help you develop a plan to improve your performance and security posture. 

Picture of Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Preventing Mobile Cyber Attacks

Did you know that 40% of all mobile devices are vulnerable to cyber-attacks and exploits? 

As smartphones and tablets become increasingly common in the workplace, hackers aren’t necessarily just using your device to infect it with malware, but also to infect devices on the same network as you. 

In this post, we share a few helpful tips to help you stay secure when using your mobile devices.  

Apps

Applications are the lifeblood of a smartphone. However, not all are created equal. Make sure you are only installing apps that are available through your dedicated App Store. Depending on your device, this would either be Google Play for Android or Apple App Store for iPhones.

Wi-Fi

Set your applications to automatically update to ensure they have the latest security. If your wireless carrier is limiting the amount of data you are allowed to use on a monthly basis, consider turning on the feature that will only update your applications if you are connected to Wi-Fi. You can even set a schedule for when you know you’ll be home.

Browsers

The browser on your smartphone works the same way as it would on a desktop PC or a laptop. You should never save a username or password inside of a browser. If you are someone that is juggling a lot of different accounts like a lot of people today, consider using a password manager. 

Pay close attention to URLs. Just like when you’re browsing the web on a laptop or desktop, you always want to make sure that you’re on the correct site before inserting any information. 

Bluetooth

Bluetooth is a pretty simplified connection method. However, there are still ways to secure yourself from attacks associated with it. Turning off automatic Bluetooth pairing is an effortless way to prevent someone from illegitimately accessing your device. Also, if you’re not using Bluetooth, it is best to just turn it off completely. This will help protect from unwanted connections.

Vishing (voice phishing)

Spam calls are becoming extremely common on a day-to-day basis. How do we protect ourselves from people pretending to be someone they aren’t? Make sure you do not reveal any personal information over the phone unless you are absolutely sure who that person is. If you are hesitant, it is best to just hang up and call the direct number of the company or person in question. Also, be wary of urgency as scammers will try tricking you into thinking that this must happen now. I can assure you it doesn’t. 

Smishing (phishing via SMS)

Text messaging is becoming the most popular communication method between individuals. This just means that more people will start using this form of communication for malicious intent. Never click links or respond. The messages sent from unknown recipients always go directly to the source. Also, standard text messages are not encrypted if nonpublic information is being requestedit is best to use another form of communication to provide these details. 

I hope that these quick tips on mobile device security have been helpful. Remember, it is important to stay just as vigilant on your mobile devices as you are on your desktop PC.

If you would like to learn more about our Managed IT and Cybersecurity Services, please feel free to reach out. We would be happy to schedule a complimentary consultation to learn how we can help you operate more securely and meet compliance regulations.

Picture of Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

adam atwell

Adam Atwell

Cloud solutions architect

Adam is passionate about consulting with organizations across the country to help them develop and execute a cloud adoption strategy that meets their business needs and future objectives. Adam oversees and manages our company strategy for Microsoft 365 adoption and is responsible for future growth and development inside Microsoft 365 and other cloud technologies.