Exploiting Flaws


Hackers love zero-day attacks that zero in on unpatched software flaws

By Jim Deitch

Hackers love zero-day malware. This malware exploits a previously unknown flaw in an operating system or software application that permits a hacker to gain access to, or take control of, a computer or other technology device. These unknown flaws have no patch or fix available.

For this particular cyberattack, it’s as if a bank robber walks into a branch using a science-fiction cloaking device and steals cash undetected. You can’t see the thief, but the damage is still done.

Anti-virus software doesn’t detect the zero-day malware because the software has not seen the malware previously. Most anti-virus software functions by identifying the “signature” of a virus or the malware source if it’s introduced by a particular Internet connection. Anti-virus software cannot block zero-day malware because it can’t identify it.

Many of the high-profile cyberbreaches you’ve read about in the newspaper probably used zero-day malware to gain entry and commit the crime. Some hackers are very skilled, and their zero-day malware can go undetected on systems for months and even years, giving the hacker lots of time to steal confidential and valuable data.

Zero-day malware has many technical flaws, and they are often quickly identified and detected. Many software makers offer rewards to an individual identifying a previously unknown exploit. Some flaws are detected by the software maker’s quality assurance program. Once a software patch is released, many hackers typically review the patch and accompanying information to identify the nature and risks exposed by the flaw. Hackers then attempt to identify and attack unpatched systems.

Known vulnerabilities and exploits are catalogued by the National Cybersecurity and Communications Integration Center/U.S. Computer Emergency Readiness Team (US-CERT). The US-CERT collects information from many software makers and patch information on a regular basis.

In September, it had identified more than 20 “high-risk” flaws for Microsoft Office, Internet Explorer and the Windows Operating System. These 20 high-risk flaws were identified over a two-week period.

One of the most important security measures a bank can take is to ensure patches issued by software makers are installed as soon as they are released. Most computers can be configured to automatically install software updates and patches. A bank’s IT team usually must install patches for servers, routers and other devices. In some cases, users disable automatic updates and place their computers in harm’s way.

Applying patches as soon as possible should be a standard priority for community banks. Unpatched systems are open invitations to hackers, exploits and information security incidents.

Jim Deitch (jdeitch@teraverde.com) is the CEO of Teraverde Financial LLC, a bank management consulting firm.