Vulnerabilities, Exploits, and Zero-days (Oh my!)

There have been a lot of cybersecurity events in the news this week, month, and year, but there are some important things to remember regarding the words used. To help sort through what’s relevant versus what’s noise, please keep the following definitions in mind when reading about cybersecurity events:

A Vulnerability is defined by the Computer Security Resource Center as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” In other words, it’s that a risk exists, but there’s no evidence that bad buys are using it to cause damage in any way. Every piece of software ever written has yet-to-be-detected vulnerabilities which is why many developers leverage bug bounty programs to have the community identify weaknesses before the bad guys do.

An Exploit is when a bad guy has taken advantage of a Vulnerability in order to cause harm. When identified, it’s critical that patches to protect against exploits are applied as soon as they are available as the risk involved is not hypothetical, but practical.

A Zero-Day event is when the first time a vulnerability is detected, it’s when a bad actor has already Exploited the Vulnerability to cause damage. These are the most critical events, as damage is already occurring with no fix available at the outset to mitigate the risk of exploitation. This is why events like the current PrintNightmare Zero-day and the Microsoft Exchange Zero-Day earlier this year garner press coverage and Suite3’s attention.

During a Zero-Day event, the ounce of prevention to avoid a pound of cure may still be inconvenient. As part of PrintNightmare last week, we blocked certain print services according to Microsoft best practice recommendations to reduce the risk of exploitation, but that in turn caused print issues for certain clients with certain printers. In our view, a temporary inconvenience of limited impact is an easy trade in return for greatly reducing the likelihood of a long term inconvenience of major impact. There are so many cybersecurity risks out of our control that it’s best practice to master what’s in your control in order to reduce risks whenever and wherever possible.