Security buzzwords – zero day and APT

Information security / cybersecurity is all over the news these days with a serious hack / breach reported just about every week. News reporters and salesmen are happy to capitalise with catchy headlines and spreading of fear. On occasion, the truth gets lost while this is going on. Here are a few buzzwords / buzz-phrases that you may have come across, that may not mean what you think:

Zero day
A ‘zero-day vulnerability’ is a vulnerability that the maker of the product does not know about, but an attacker does. Once information about this vulnerability is known, the vendor has 0 days to fix it before it affects their customers. Plenty of vulnerabilities these days are discovered by ‘good guys’ – white-hat researchers – who report their findings to the producers of the software and give them a reasonable period (such as 90 days) before the information is made public. These vulnerabilities are not zero-days because the wider community (and malicious players in particular) typically learn about them only after the patch is released. A ‘zero-day exploit’ would be the use of such a vulnerability before the vendor learned of its existence.

Examples of misuse:
Vulnerability in LastPass misreported as zero-day by many reputable news sites: http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/
Nonsensical title talking about a ‘patched zero-day’: https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/

APT / advanced persistent threat
An advanced persistent threat (APT) is a higher grade attacker than the usual. APT attacks tend to be targeted, stealthy, may involve a large number of steps, with multiple devices being infected and data being exfiltrated only in the later stages. Some of these will be so effective that they will remain undetected for years. On occasion, they can also reach computers that are not connected to a network. The level of sophistication is said to be such that only nation-states and big criminal organisations are said to have the expertise to carry out such attacks.

Some of the top names in security have ‘APT’ solutions. Do they work? They do detect some threats that traditional methods do not, but advanced persistent threats? No. Claims to detect APTs must be taken with some amount of caution. Malware testing company NSS labs came up with a few tests of increasing difficulty where none of the tested products detected the stealthy test. Their conclusion: “Novel anti-APT tools can be bypassed with moderate effort…” They were able to develop the test samples without having access to the APT solutions during test development and “resourceful attackers who may be able to buy these products will also be able to develop similar samples or even better ones.” Our takeaway from this: Make sure that the vendors claims are supported by evidence and seek unbiased sources when trying to find out more information.

Also check out this previous article: The horror of the security product presentation

The horror of the security product presentation

“Attackers can get in within seconds.” “Data can be extracted within minutes.”

If you are in IT (especially if you manage IT), chances are that you have sat through a security product sales presentation. It contains scare stories of vulnerabilities and attackers and tells you about just the product to solve the problem.

It starts with a few recent headlines. There will typically be one about a security breach that lost a company many credit card numbers belonging to its clients. This might be followed by another headline that talks about lost social security numbers or other personal information. (5 minutes)

Step 2 is the scariness of the task of the IT team. There are plenty of vulnerabilities that any IT infrastructure may have. The ante is quickly upped to introduce “zero-day” – vulnerabilities that are only known to the attacker and not even to the vendor who created the security products that are in use. The scares are further escalated to show how quickly data can be extracted and for how long the attackers can remain in your network before they are typically detected. (5 – 10 minutes)

Then comes the question. What can we do about this? The answer immediately follows. “We need something that … does A, B, C and D!” (1 minute, typically just one slide)

The big reveal that we have been waiting for! Introducing PRODUCT!!!  (5 minutes)

An explanation follows as to how A, B, C and D are done by the product. There is an additional explanation as to why no other product compares (20 – 30 minutes).

What is shameful about the aforementioned presentations is the amount of time that they waste in an attempt to scare people into buying a product. Not only that, the security product is presented as the necessary solution that will fix the problems that none of your existing products could fix.

No security product will secure your IT infrastructure by itself. See this previous post that I made for more information. There are plenty of situations where the existing products in one’s infrastructure, effectively used, can provide the level of security that is required by management. A direct question to the salesperson as to the measurable effectiveness of the product will always be met with caution. One would just not expect it, coming so soon after the wonders of the newly introduced product.

Security devices need to keep one-upping each other. So do security sales pitches. Perhaps a good way to improve them would be to not waste the customer’s time and patience attempting to scare them.