The Disconnect Between Zero-Day Exploits and Security Audits and Penetration Tests

Given all the known security incidents and data breaches, it seems to me that the average person might be curious as to why all this nonsense is occurring, especially when periodic security testing is taking place. One would think that with all the security control audits, vulnerability scans and penetration testing in the average business, known security risks would be addressed. It’s simply not true, especially as it relates to zero-day exploits — system vulnerabilities for which there is no known fix.

The Trouble With Zero-Day Exploits

The complexity of the threats we face combined with the complexity of the typical network environment all but guarantees there is just no way to uncover all possible vulnerabilities and attack vectors related to advanced malware. Furthermore, the inherent nature of zero-day exploits makes those vulnerabilities unknown to begin with. It’s hard to protect against something that hasn’t yet happened.

Malware-driven zero-day exploits can be so complex that not even the most in-depth technical security testing and systems oversight could uncover them. It’s a great example of the philosophy “you don’t know what you don’t know.”

You can’t hit a target you can’t see. Odds are good that you’re not doing enough today to keep zero-day exploits under control. So what can you do?

The Best Defense

You most certainly need to keep performing your traditional security testing, but you also have to combine it with proven security controls that are layered across the enterprise. This often includes cloud access security broker technologies controlling data going out to the cloud and advanced malware protection at the network perimeter, as well as modern malware protection, adequate software patching and even data loss prevention at the endpoints.

Arguably, your users are the best line of defense to protect against phishing and related social engineering. They can also assist in the fight against email- and browser-based attacks that facilitate zero-day exploits.

If anything, ongoing security testing can serve to create a false sense of security — you think everything is OK when it’s actually not. There is no best way to combat this threat. It’s all of these security controls working in unison across the enterprise with the proper oversight that can truly protect the organization from zero-day exploits.

Kevin Beaver

Independent Information Security Consultant

Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle...