Call 01782 720229 for discounted Safestick pricing for NHS, Schools, Universities and Volume purchases.
16/07/10
Microsoft Windows LNK Vulnerability
13/07/10
Oracle Releases Critical Patch Update for July 2010
13/07/10
Microsoft Releases July Security Bulletin
  If you would like to discuss any aspect of network security you can reach us at
 
  We are looking forward to hearing from you. You can also contact us at
 

This is a term that has been around for a while but is still not the de facto standard for network security.

Classically the industry has implimented a 'pattern matching' approach to detect and block Malware code. Vulnerabilities and resultant Vulnerability-based Malware code must be known and published to a signature database before detection and blocking is possible.

This is the basis of Anti-Virus (AV) engines and most Intrusion Detection/Protection systems (IDS/IPS) which are only as secure as the last signature update. Admittedly a degree of heuristic scanning has also added to this security model, however it is still mostly a reactive approach.

It is reliant on the vulnerability and exploit code already being in the 'wild' to allow the security firms to write and test a signature, this is NOT Zero Day as if it in in the 'wild' when signature and patches are being tested and prepared then there is a window of risk from connectivity to untrusted networks, primarily the Internet.

This delay is further potentiated by 3rd party testing by appliance manufacturers prior to signature release onto these platforms, the irony is that these external systems are your first line of defence from external attack.

Zero Day refers to the ability to react and block Malware code before, or very soon after, the vulnerability that it exploits is published. Based on Protocol and traffic pattern analysis, variants of known code (most novel attacks are variants of known attacks) and analysing packets to 7 layers, this approach looks for errors in valid packet and traffic rules and recognises erroneous packets as malicious.

So if the packet is the wrong protocol for the port, has a .exe payload when it should not or has a buffer size that exceeds the buffer limit then it is, by default, malicious and is blocked.

99% of all worms are just a buffer overflow to a recently known or unknown vulnerability, if you check the buffer you block the worm ZERO DAY.

For another explanation please go to http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci955554,00.html

Example: Malware code is released that is not your standard SMTP born virus that must propagate from user to user via email? What if it is a multi-protocol, multi-payload, UDP, self-propagating worm that has been released to the internet unpublished or within hours of publication. You do not have time to patch (even if the patch or hotfix is available), your pattern matching AV and IDS are useless because they need to have been predisposed to the code to offer protection and your remote users, home users, ADSL, SMTP/HTTP Gateways and WAN links are all at risk of immediate attack from the Internet.

Remedy: Zero Day pre-emptive protection against the exploit code is geared towards the perimeter and to allow a secure Window for existing patching procedures I.S.S. Proventia and ActiveScout or internally to negate patching as a security response and worm propagation eEye Blink and CounterAct.

If you implement these strategies, your network will survive the critical window before the vendors release their fixes and also prevent re-infection.
 
 
 
home | about day zero | professional services | vulnerability scanners | Safestick | gfi | change management | Hard Disk Encryption | barracuda | Websense Email Security | Websense Web Security | usb security | contact
Copyright 2009 day zero security. All rights reserved.
Website design by Simon Rimmington