Published: June 04, 2024 on our newsletter Security Fraud News & Alerts Newsletter.
News about a cybercrime spike is never a good thing. When that surge has to do with zero-day attacks, it’s an unusually challenging situation. A report by Google finds last year’s 97 zero-day vulnerabilities were up 50% from 67% the year before. In context, 2021 set a record with 106 vulnerabilities. Good, bad, or indifferent, one thing we know for sure — hackers are getting better at finding zero-day opportunities.
At the heart of these unique attacks are attackers finding previously unknown weaknesses in software. Once discovered, they immediately exploit the flaw — the reason they’re called “zero-day” attacks. At that point, the hacker knows about the weakness, knows there is no fix available, and they continue to exploit it until it’s fixed. These fixes are released to the public as patch updates so they too can stop the vulnerability.
Zero-Day Expanding Targets
Hackers are upping their zero-day efforts to include third-party and other outside software products. In some cases, they are shifting away from targeting consumer environments and instead focusing on business software. For attackers, expanding potential targets translates to more zero-day possibilities. In their findings, Google saw a 64% increase in business specific vulnerabilities last year, and an overall increase targeting third-party vendors going back to at least 2019.
Tackling Zero-Days
While developers will always be hoping to make their software immune to zero-day flaws, consumers can take steps to tackle their own exposure to these attacks until that happens. Since we know that might take a while, follow some basic advice:
Always keep your device software up-to-date and never wait to apply security patches. The longer you wait, the more vulnerable your device is to attack.
Keep phishing red flags top of mind anytime you check your inbox. Remember, 91% of cyberattacks begin with email phishing, and 41% of business email compromise attacks (BEC) are due to credentials stolen via phishing.
Unique, strong passwords protect the keys to your online kingdom. Use a minimum of eight characters and a mix of upper-and lower-case letters, numbers, and symbols. Fun fact: Without automated means, a 12-character mixed password takes 26.5 thousand years to crack, while an 8-character mixed gets cracked in 3 hours. Remember, a hacker is likely to give up on a tough-to-crack password and move on to an easier one.
The tough truth about zero-day attacks is it takes days, months, or even years for a developer to discover the security flaw. It also takes time to create the update patch and distribute it to the public. The more time it takes to find and fix the flaw, the more opportunities there are to exploit it. So, don’t wait to update!
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com
Comments