The time between the attack and the patch is critical, writes Bart Vansevenant
On 24 June 2004, a group of Russian hackers confirmed that "zero-day" security attacks - attacks based on previously unidentified vulnerabilities - had become a problem affecting every internet user.
Their Download.Ject attack launched a Trojan horse called Berbew which took advantage of two previously unknown and unprotected flaws in Microsoft's Internet Explorer.
Because these vulnerabilities had not previously been identified, Microsoft was forced to release a security update on 2 July aimed at thwarting this attack. But it was 30 July before a patch was released, leaving Internet Explorer users open to attacks for more than five weeks. Users could become infected without an available cure, which was a new and potentially more dangerous scenario in the fight against malicious code. Zero-day attacks had entered the mainstream.
Hackers and virus writers had previously targeted malicious code at known vulnerabilities, taking advantage of those IT directors who had not patched their systems regularly or correctly.
But with security now top of most IT directors' agendas, hackers have begun actively seeking out and targeting vulnerabilities in software that had not been identified by suppliers. Although this approach had been used to hack company systems, its basis as a platform for mainstream attacks is a new development.
With hackers becoming quicker and more adept at exploiting unknown vulnerabilities, the period in which it takes the supplier to release a patch is becoming increasingly dangerous for users. But although there clearly is not a one-off security solution that can protect systems against zero-day attacks, there are measures IT directors can implement to reduce the risk of their network becoming the victim of an unidentified flaw.
Deploying and monitoring security controls on a continuous basis, such as firewalls, intrusion prevention systems (IPS) and anti-virus software allows IT managers to view threat information on a real-time basis. IPS can monitor the behaviour of systems, allowing new threats to be identified and corrective actions to be taken on the spot.
But even the traditional firewall can be of great help if monitored in real time. In the case of the Slammer worm, firewall logs showed unusual network traffic behaviour in the early stages of the outbreak. This enabled network managers to close down a firewall port (port 1434 UDP) to avoid massive infection before the worm was even documented.
However, security will never be able to provide 100% guarantees. As such, it is important for companies to establish an incident response team with prepared procedures and assigned responsibilities to react to a security breach. Ultimately, reducing the threat of infection from zero-day attacks will depend on IT directors' ability to interpret the full security picture and to correctly identify malicious traffic.
Bart Vansevenant is director of European security strategies at Ubizen