Virus Attack: What to Do on Zero Day
The words "zero day" strike fear into the hearts of most IT security professionals. The phrase refers to the first day that a new malware (such as a virus or worm) or intrusion vulnerability makes its appearance. Since traditional antivirus software works by identifying and protecting against known threats, it offers no protection against an attack that has never been seen before.
What can you do to keep your systems safe from a brand-new threat? While there is no way to guarantee your company will never suffer a zero-day attack, there are steps you can take in advance to cut that risk to a minimum. And if it does happen, there are ways to minimize the damage.
Before zero day
Keep security up to date. "Keeping your network up to date and following security best practices could prevent exploitation of a zero-day vulnerability," says Russell Smoak, director of technical support, Cisco Systems, Inc. And of course, if a virus or threat gets through because your security software wasn't up to date, the effect can be just as bad as a zero day attack.
Christian Chase, CFO and managing partner of Everything Tradeshows learned this the hard way when he deliberately turned off updates because they were causing errors in some computers. "It was silly of me," he says. "All of a sudden, things started going down and down and down. Our accounting system was corrupt. As it turned out, we had 14 viruses." Fortunately, Everything Tradeshows had backups in place, so the company only lost three days of data.
Now, Chase is something of a poster boy for security best practices. In addition to having a firewall and keeping up to date on all definitions and patches, the company has its IT provider do a one-hour review each month to make sure there are no known vulnerabilities. It also maintains a blacklist of websites where users are not allowed to browse. "I've learned there's always a way in," he says. "So you have to arm yourself with the best fort available."
Keep an eye on your systems. Your best chance of spotting a zero-day attack early is to make sure your system activity is constantly monitored, either by your own staff or an IT outsourcer. "A traffic spike, or a sudden increase in unusual error messages could all be signals of a zero-day attack," notes Joe Dallatore, senior manager in technical support at Cisco.
Keep an eye on security news. Security providers and the tech media always put the word out as fast as they can when a zero day event is detected. So staying on top of this information can help you stop a new threat before it does you any harm. Make sure that either you or your IT provider is monitoring security threat information and is ready to respond if an application you depend on is known to have new security issues.
Make sure you have host intrusion protection. HIPS or host intrusion protection software can actually stop a zero-day attack because it does not rely on lists of definitions or signatures to block viruses. Instead, it identifies a threat by analyzing its behavior in your system, and uses rules-based monitoring to prevent such intruders from making unwanted changes.
"Host intrusion prevention used to be very costly, but now it's included in many of the large providers' security suites," says Adam Hils, a primary research analyst focusing on the small and mid-sized business market at Gartner. He recommends reviewing security contracts with a view to making sure you have this protection. "And it should be turned on as the default setting," he says. If HIPS is turned off as the default, that may indicate the company is aware of compatibility issues that you need to know about, too.
On zero day
Execute your plan. Well in advance of zero day, you and your IT team will have created a response plan for security attacks. Once you suspect an attack is underway, it's time to put your plan into action.
The specifics of your plan will depend on your company's "CIA" priorities -- meaning whether confidentiality, integrity, or availability is most important for your data. "If confidentiality is paramount, disconnecting from the Internet might be your first step," Dallatore says. "If availability is most important, it might not be."
If the plan calls for disconnecting from the Internet, and perhaps cutting off your ecommerce, some of your company's executives are likely to object, and these issues must be addressed ahead of time, Smoak adds. "The group executing the plan must have the authority to take these measures."
Contact your security provider. Letting your IT outsourcer and/or security software company know what's going on should be an early step in any plan. Their representatives will be able to tell you whether what you have on your hands is a known threat or a genuine zero day event.
In order to find out, however, they will need detailed information about what's been happening in your systems. Thus, it's important to have good log management in place, so that they can review your log information quickly and easily. (For more on log management, see previous article.)
"Once you communicate that you're under attack, the security provider will either say, 'Yes, we know about that, here's a patch,' or 'No, we've never heard of that before," Hils says. If it's the latter, sharing your information may help save others from suffering through zero day.