To be remembered as a truly sinister villain it’s all in the marketing. A memorable name is a must; preferably ironic or cropped from the rarely frequented areas of the keyboard and even better when combined with the definite article or an umlaut. Angel Eyes, The Mekon and Keyser Söze all fit the bill nicely. Even Sauron has a nice ring to it.
So I was disappointed to read that the biggest zero-day villain in 2014 was called CVE-2013-7331. Hmmmm, can’t quite hear James Bond saying “that’s a Smith and Wesson, CVE-2013-7331, and you’ve had your six.”
Zero-day attacks are aimed at operating system or software vulnerabilities for which there is no remedy when they first strike; i.e. the community of internet security vendors has had ‘zero days’ to prepare a response. They have given rise to an alarmingly competitive culture among cybercriminals. For example, each month hackers race to be the first to compromise Microsoft’s regular security updates on Patch Tuesday (the second Tuesday in each month). Security experts have even coined the term ‘Zero-day Wednesday’ as a result, as this internet security company notes.
But in Symantec’s annual internet security report, released this month, 24 zero-day attacks made 2014 the worst year on record for internet vulnerability. (The chief villain named above had 2013 in the Common Vulnerabilities and Exposure designation as it was discovered in 2013 but not disclosed to the public until the following year.) In total, Symantec says the top five zero-day attacks took 295 days to patch, with the average being 59 days. That means a lot of systems were exposed for a very long time. The cat-and-mouse nature of Patch Tuesday and Zero-day Wednesday is, therefore, no laughing matter.
Possibly of greater concern though, is that many cybercriminals have seemingly adjusted their tactics in light of automated patch deployments. In keeping with these days of austerity, Symantec suggests hackers have gone back to basics: attacking networks not for immediate effect, but to gather intelligence for future exploitation. To do so they are increasingly looking for vulnerabilities in old software (that may have been reused in new applications) and at the very architecture of the internet itself.
What does the internet look like? Opinions vary, from President Obama’s recent description of “the wild, wild West” to the oft-mentioned ‘super highway’. But my favourite analogy comes from The Baffler which compares the internet to a hot tub: “A hot tub, after all, is shared with friends and strangers, whose warm water swirls around you, lulling you into complacency while silently transmitting disease”.
So, not an impenetrable fortress then, where all one needs do is occasionally replace a few bricks and keep the drawbridge in the upright position. Many like to think of the internet as a coherent and secure entity. Look at how we talk of ‘downloading’ from or ‘uploading’ to the internet, as if it hovers over us like an omnipotent safety blanket. But the reality is different.
Craig Rice, Head of Security at the Payments Council, which represents the payments industry in the UK, sees the internet as an architectural hodge-podge. He describes an ecosystem growing incrementally with no overall design, control or predictable direction. Rather than bricks, it is better to think of it as having been made from wool he says, and therefore very easy for malicious actors to find ways through and around patches. As Tim Gallo of Symantec says: “We need to better understand that the fabric of the internet is riddled with holes.”
Game over? Not quite. All the villains listed above eventually came a cropper, even the nattily titled CVE-2013-7331 was patched after 204 days. There are some easily implemented measures to prepare for and mitigate attacks. For example, the United States Cyber Consequences Unit offers some simple advice on laptop security when travelling abroad, so as to minimise exposure overseas and lessen the risk of bringing home a nasty.
The starting point is to consider our own exposure. What does our network look like? How big is the fixed infrastructure, let alone mobile devices? Are we using software that is no longer supported? How will we know when we’ve been breached and who should we then call? The governments of the United States and United Kingdom recently announced a series of cyber war games to test each other’s defences. Perhaps it’s better to hear the scary news from a friend before You Know Who comes calling.
This post was commissioned by XQ Digital Resilience