Then NSS did a little more research and widened its net to more exploit vendors. In doing so, it determined that more than 100 zero-days were for sale this year alone. According to NSS Labs, the zero-days remained undisclosed to their vendors or the public for an average of 151 days. The paper continues: "NSS found subscriptions delivering 25 zero-day vulnerabilities per year can be had for $2.5 million." Not cheap!
But any nation-state can pony up that kind of money, and NSS Labs feels that some organized cyber criminals are readily capable of raising the needed funds. The paper closes with the warning, "These numbers are considered a minimum estimate of [zero-days], as it is unlikely that cybercriminals, brokers, or government agencies will ever share data about their operations."
However you spin the numbers, the fact is you could easily be exposed to one or more zero-days in a given year. What can you do to defend yourself if you can't afford million-dollar subscription fees?
First, there are dozens of companies that offer products claiming to detect 100 percent of malware and exploits, including zero-days. Anytime you encounter that claim, run the other way as fast as possible. What they're saying simply isn't possible -- or isn't possible without a ton of false positives. (All you well-meaning vendors about to email me to say I'm wrong, that you can in fact detect 100 percent of all malware? Please don't waste the time and electronic bits -- please.)
Nonetheless, you can find solutions that help detect and/or defend against zero-days. If you're worried about the risk or have been targeted before, it can't hurt to test. Your best bet is to get a reference from a customer that successfully used the product.
But that's not all you should do. Have general mitigations ready to deploy. If you have an Active Directory network, consider using group policy to deploy those mitigations. Use them to disable affected services. Use network and host-based firewalls to limit malicious spread and damage.
Make sure you have a good incident response team and process in place. Make sure you have top-notch forensic investigators, at least on-call. Be prepared to shut down the affected network segment -- or perhaps even the entire network -- to stop the threat. Can that be done? Would you have senior management's support? Decide ahead of time when to involve senior management.
Most companies will never be hit by a zero-day attack. But that doesn't absolve you from adequately preparing for one.
This story, "Zero-day exploits: Separating fact from fiction," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.