Blog » Zero Day Exploit: Microsoft’s patch, Whatsapp’s flaw and lessons from “WannaCry”
Security has always been a top concern for enterprises. As the tectonic shift to digital continues, enterprises witness both sides of a coin- transformation to new technology and other side being the constantly evolving cyber threats and attacks. Challenged to prevent enterprises from an array of security gaps in the network, enterprise security teams are up on their toes to discover, assess, and mitigate unknown cyber threats and attacks of different magnitude. Among various cybersecurity concerns, digital enterprises are compelled to pay more attention to Zero day attacks.
To put simply a Zero day exploit is a software flaw. It refers to cyberattacks that occurs on the same day the flaw is discovered in a software or hardware. Also referred as 0-day vulnerability, these are attacks that take advantage of unpatched and private (i.e have not been made public) vulnerabilities. Zero day exploits are hard to detect. A zero-day attack happens once a flaw, or software/hardware vulnerability, is exploited by hackers by releasing malware before developers create a patch to fix the vulnerability—hence “zero-day.” In a Zero day attack, hackers target flaws and errors of software programmes to attack enterprise networks. This kind of issue can be reported back to the software companies, who develop patches as a quick fix to such flaws and errors.
May 2017, the technology world scampered after the news of WannaCryptor broke out. If you want to feel nostalgic about your heroic efforts as the Network Security team, here is an article on what it was about. One of our partners – a large global technology consulting company, requested an emergency field deployment of SD-WAN to re-mediate WannaCry in their customer’s network. Ironically, the incident response team was unable to make progress because the existing WAN capacity was insufficient to manage patch upgrades across the network. On average, the size of the security update issued by Microsoft is about 35MB in size. It keeps changing from Windows version to version. The details of the security patch are available here. Specifically, if you look at the Microsoft security blog, the title of the article says it all – “WannaCrypt ransomware worm targets out-of-date systems”. The ugly truth we all were rudely awakened to is that the malware attacks all the systems that have not been patched and are classified as out of date systems.
Recently, Microsoft released patches to address the bug (CVE-2019-0863), one of 80 vulnerabilities, including 22 rated critical and 57 identified as important in severity. Above all, Microsoft urged system administrators to immediately deploy a patch for a Remote Desktop Services remote code-execution vulnerability (CVE-2019-0708), because it was “wormable” flaw which could easily lead to fast-moving malware attack similar to WannaCry. Here’s an article you can refer to know more about the flaw and the patch. On the other hand, WhatsApp patched a vulnerability that allowed attackers to install spyware on victims’ phones. In May, the popular messaging app, owned by Facebook, discovered that attackers were installing surveillance software on iPhones and Android phones – by calling victims using WhatsApp’s call function. The messaging platform which touts itself as a secure end-to-end encryption app for communications was quick to identify the flaw – now patched – as a buffer overflow vulnerability in WhatsApp’s VOIP stack, which allows remote code execution via specially crafted series of SRTCP [Secure Real Time Transport Protocol] packets sent to a target phone number. Whatsapp has already released a patch, and are currently encouraging people to update the application as soon as possible.
From the network perspective, WannaCry firstly taught enterprise IT departments to focus on patching software and upgrade to the latest security releases. And secondly, IT engineers realized the increasing need to protect two endpoints of application communication. Unless we deploy protection and detection mechanisms at the endpoints, the network security problem in the age of Industrial revolution 4.0, cannot be solved. Enterprises must realize that why there is a lot more to do for security than just a firewall.
The primary reason why Zero Day attack takes place is twofold. First existing lapses in enterprise defense mechanism – like outdated systems, unpatched software, traditional security approaches. Secondly, longer time taken by IT teams to develop the patch, hackers benefits who get more time to develop sophisticated attacks. Traditionally, identifying the threat and hack detection relied on the database based on links and overall network, but given the advent of advance methods of hacking, enterprises require new age measures to prevent security breaches. Virtualization techniques like Sandboxing is a known method which allows enterprises to establish a highly controlled environment. It is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.
Enterprises today are working on implementing hybrid models that leverage the benefits of machine learning-based algorithmic models, cloud based networks and real time analytics. Once again, the aim here is to protect and block weak endpoints in user’s system and software, monitoring unusual program and user behavior, and ensuring secure cloud access. Almost every kind of security breach can be detected by looking at what happens to your network before and after the attack. Even the simplest of malware contacts its CnC (Command and Control center) once it is activated from an infected file. In fact, the most often implemented method in a malware sandbox solution is to look for suspicious application process or application network behavior when opening an infected file. Network flow analysis using a security lens is an invaluable and inexpensive way to stay on top of your security operations. The challenge thus far though is that the network analytics engines are mostly offline, and either need a sampled traffic or integration using flow record file formats with all your network devices. But when you deploy a cloud powered SD-WAN platform (sorry about the brazen advertising), it becomes possible to analyse all your network flows inline immediately for network behavior anomaly.
The emerging architecture of SDP (Read our earlier primer on SDP) is solving key challenges for enterprises when it comes to securing their access to the cloud. One of the key problems to solve is to get the user traffic to the SDP cloud network, and here is where the 360 degree architecture of SD-WAN & SDP, which is a killer combination to protect your networks and applications. The natural strength of an SD-WAN solution is policy based on-the-fly private network overlays being created from any source to any destination, this allows an enterprise to drop in extremely simple policies to protect entire network and applications. It’s an architecture where you can deploy best of breed networking and security using next generation SD-WAN and SDP.
The answer to how enterprises can seal all possible security gaps is once again is in the cloud. The natural strength of an SD-WAN solution is policy based on-the-fly private network overlays being created from any source to any destination. This allows an enterprise to drop in extremely simple policies to redirect the right traffic to the right SDP gateway. It’s an architecture where you can deploy best of breed networking at your edge using next generation SD-WAN, and you can deploy best of breed security at your cloud using SDP. With SD-WAN, networking team can drastically reduce the attack (like zero day) surface area to limit the scope. Enterprises can embrace necessary and new age precautions (poised with ML, AI, Cloud, etc) to avoid such vulnerable situations. A zero day attack can easily jolt the bottom line of your enterprises. Hence it is crucial for enterprise security teams to be alert and act immediately in case of any vulnerability. Here are some basic steps to maintain security hygiene that can help you mitigate Zero Day Attack:
Deploy Advanced Security measures: Traditional/basic security measures are simply not enough in today’s digital signage. Employ the most advanced means of enterprise security solutions backed with SDN/NFV, ML, analytics.
Keeping Security Software Up-to-Date: Do regular and timely software updates. This can help you effectively protect your network from a zero-day exploit.
Update Your Browsers: Out-of-date browsers are common targets for hackers. A browser not updated is a potential malware threat. So keep all browsers up-to-date with the latest version.
Implementing Security Protocols: Leverage policy based security architectures to set fine grained security policies based on different attributes – parameters associated with users, devices/switches, location, routing, services accessed in SDN, security attributes associated with the switches and Controllers in different domains.