Hackers and cybercriminals are increasingly exploiting previously undiscovered vulnerabilities in software to attack systems. Addressing this growing threat and protecting the public interest requires a concerted effort. “It is crucial that organizations strengthen their basic security and periodically screen for vulnerabilities. These measures not only protect the organization itself but also affect internal and international security.”
This is stated by the Dutch cybersecurity agency Orange Cyberdefense.
”Inconsiderate information exchange can increase damage”
As an example, the company cites the cyber attack on twelve Norwegian ministries. Hackers exploited a zero-day exploit in Ivanti Endpoint Manager Mobile. As a result, the attackers bypassed the authentication process to gain access to confidential company data. “It is not the first and certainly not the last time that a country will be the target of such a targeted zero-day attack,” emphasizes Jort Kollerie, security specialist at Orange Cyberdefense.
A digital attack via a zero-day exploit is not only dangerous for the company or organization affected by it. According to Kollerie, it can create a large group of victims if action is not taken quickly. “There is a risk that in the event of an ill-considered information exchange, the vulnerability suddenly becomes known to a larger group of hackers and can therefore cause much more damage,” he says.
In his view, the Norwegian government acted well by contacting the software supplier directly. This enabled the company to quickly develop a patch and roll it out worldwide to prevent damage to other parties.
Zero-days and patching vulnerabilities take too much time
Kollerie underlines the importance of regularly testing its own defence and infrastructure. Pen testing allows ethical hackers to detect vulnerabilities before malicious parties have a chance to exploit them. Working with Red Teams and Blue Teams can also reveal security issues. The Red Team is a group of employees trying to infiltrate a corporate network. The Blue Team is doing everything it can to repel this attack.
According to Kollerie, there is still a lot of room for improvement. Software companies need more time to develop a patch for zero-day exploits and other vulnerabilities. “Our data shows that it still takes companies an average of 215 days to fix a reported vulnerability. Even for critical vulnerabilities, that that’s more than six months. This puts organizations at unnecessary risk and provides attackers with a significant window for exploitation,” said the security specialist.
International cybersecurity and data privacy standards, such as the European Network and Information Directive (NIS2), help to create a common framework for better information security, according to Kollerie. “NIS2 is good news in that sense. One of the points of this guideline is a solid patch policy. It gives organizations an unequivocal argument to put that aspect in order.”
Reducing the number of victims through knowledge sharing and a solid patch policy
Orange Cyberdefense advocates more knowledge sharing to increase the digital resilience of companies and organizations. “Nobody competes on security. Every organization is a source of security knowledge and insight, and sharing that knowledge and insight is invaluable to all of us.” Reviewing the patch policy to minimize the risk of unnecessary casualties is wise. “By patching resolved vulnerabilities as quickly as possible, you reduce the risk of becoming an unnecessary victim of what is no longer a zero-day vulnerability,” says Kollerie.”
Cybersecurity is a shared responsibility, where every organization can make a difference – not only for itself but for the entire digital community,” the cybersecurity expert ends his contribution.