A zero-day attack sounds like something out of ‘Starship Troopers’, or ‘Back to the Future’.
But it’s much more boring, I’m afraid.
A zero-day attack is one that exploits a zero-day vulnerability – a code vulnerability that slipped through the cracks and has been discovered by the bad guys, who plant their malware or otherwise corrupt the site.
None of the checking, verification, auditing or testing that is part of the process of developing and deploying a new application (such as a plugin), or inserting updated code into an existing application, identified the vulnerability.
No one knows that it’s there.
If you have some code in your website that has a zero-day vulnerability you cannot proactively defend against an attack through the usual steps of keeping your software up-to-date (a step that I preach relentlessly..!), for the simple reason that there is no security patch.
This is one of the reasons I’ve said many times that no one can ever claim a website is 100% secure.
If no one (except the bad guys) knows about it, no security patch will have been released. In which case your website is vulnerable.
How dangerous is a zero-day vulnerability
If only the bad guys know about it, then it poses an extremely high risk.
However, one of the benefits of using open-source platforms (such as WordPress) is that there is a huge user- and developer-community. And these guys (the good guys) are a safety net because they spot vulnerabilities that slipped through the testing and deployment process and need to be patched.
When they do so, they notify the developer through a practice known as ‘responsible disclosure’ – quickly and confidentially alerting the developer to the vulnerability so it can be patched before it’s widely known about.
The risk is that the bad guys discover the vulnerability first, in which case things can get very ugly, very quickly.
They use software to scan hundreds of thousands of websites to look for:
- Known vulnerabilities, for which a security patch has been released but where the webmaster has failed to update the sites they are managing
- Unknown (zero-day) vulnerabilities, which they have discovered but for which no security update has yet been released
And with the development of Artificial Intelligence (AI) applications you can rest assured that the cyber-criminals will become ever better at detecting and exploiting vulnerabilities (of both types).
There is no proactive defence against an attack on a zero-day vulnerability for which no security patch has been released, but that in no way implies that it’s OK not to immediately apply software updates!
For the best protection against your website being compromised you must keep all software absolutely up-to-date.
And do the updates as soon as possible after they are released.
After all, when the developer is notified of a zero-day vulnerability it is no longer ‘zero-day’ and the patch will be released as quickly as possible.
So how can we protect our businesses against zero-day attacks?
Before I answer that question let me make this point:
One of the prime responsibilities of people who own websites is to be a good net citizen. A bad net citizen is one that does not maintain their websites, so the sites are hacked and then used to further the aims and objectives of the cyber-criminals.
The effect of this is to increase the level of criminal activity online.
I wrote an article recently listing out steps you should take to protect yourself online. One thing I left out was the importance of accepting responsibility for maintaining your websites so as to be a good net citizen and not contribute to the increasing level of cyber-criminal activity.
I urge you to read that article and make sure that you protect not only you, but your net-neighbours as well, (through maintaining a secure website) – read it here.
In the meantime, the answer to the question ‘How can we protect our businesses’ is:
- Keep all the software on your website absolutely up to date
- Make sure you take regular full-site backups so you can restore your site quickly and easily if it is hacked (this is the only way to recover from a zero-day attack, until a fix is released)
- Check the front and the admin area of your website each day so you notice any problems as soon as possible. This will enable you to make sure you’re restoring your site from a clean backup, not one taken after the site was hacked
- Read this article and take the precautions I’ve laid out
If you don’t have the time or the technical expertise to do that, then we can help: