It Is Always Time for Zero Day Vulnerabilities

Oh, sigh. It has only been 5 months since my last post on Zero Day Vulnerabilities and now I am provoked by news of multiple such vulnerabilities in various Microsoft products. My post was about what that term used to mean, came to mean and means now. It was also about why reacting to these issues has become a potential vulnerability in itself.

The short version of the definition is that "Zero Day Vulnerability" now means "you should do what you can about this vulnerability as quickly as you can."

The short version of the dangers of panic is that panic is dangerous: just because you need to react to a vulnerability ASAP does not mean that you can cut corner or rush. Remember that not only are human beings prone to error when they rush but that evil human beings may try to exploit that tendency by offering corrupted patches which are, themselves, malware.

The best way to be able to react ASAP without rushing is to plan ahead. Of course you cannot predict when any given trusted piece of critical software will be revealed to have had this problem all along, but you can predict that this situation will arise at some point with some piece of critical software.

So plan for it. In your NIST CSF-based program, add this to the Protect process of your critical digital assets as a risk to be managed. Then add it to the Detect procedure: someone has to subscribe to those warnings of critical vulnerabilities. Then add it to the Respond plan: for each critical piece of software you need to know from where you can get a trust-worthy patch and how those patches should be applied. Then add it to your Recover plan: for each critical piece of software you need to know when to expect a follow-up or a way to confirm that the patch is working.

What if this piece of software is no longer actively supported? It might seem an obvious policy to only run software that is actively supported, but in practice this can be very difficult to implement. Lots of software becomes stable, "just runs" and spending money to replace a trusted and fully functional system is not as obvious a choice as it might appear at first/

Zero Day Vulnerabilities are a drag to think about. They are agony to endure as you shut down the affected systems and twiddle your thumbs while you wait for a patch. They are difficult to recover from if recovering from them means choosing between continuing to run something old or risk running something new.

But think about them you must. Have a plan you should. A written procedure you need, complete with tiresome research that needs to be updated regularly.

Take the time and trouble. Your future self will thank you. Shrug and let it slide and you will have no one to blame but yourself.