No Sec Cybersecurity Consulting knows that Zero-Day vulnerabilities occur when software errors or technical holes occur, impacting cybersecurity, and these discovered and/or exploited before a fix/patch may be developed and deployed to address each respective cybersecurity vulnerability.
Background: Zero-Days start, as shadow Vulnerabilities, which are ranked on public scales. As-is a low severity issue for example may be worse depending on the time the Vulnerability becomes public, if ever. Also, the Vulnerability impact it has had, or is expected to have up to that point, has an impact on its score, which is never truly accurate. In addition, Vulnerability severity is reassessed and may become more risky at any time of day.
Also, there is only one or two true sources in the industry who reliability research and label these Vulnerabilities, such as Mitre and they are questionable at best, by any means would label as sources of truth, because it is so centralized. But in the end, no one supplies an answer to determine if these common Vulnerabilities are considered Zero-Days themselves, which in many cases shows manipulation and incomplete data. See the recent Black Hat report on CVSS Deceptions.
Therefore, technology folks need to understand that these findings where all Zero-Days, at one point or another, even up to the point of being broadcasted to cybersecurity folks and/or if ever made public in general. To conclude, not all remediating controls for fixes work all the time at all. As all information security engineers know, its like constantly chasing complexity and chaos continuously, but assuming to get paid well to play the cost game.
Zero-Days are even more so present today.
Here are the examples of massive Zero-Day areas of chaos and complexity in IT:
- Ever-expanding ransomware with TFLOPS+ neural-network based upkeep.
- Artificial intelligence (AI) attacks and clones, even on-chain attacks.
- Internet of Things (IoT) digital twins, with spoofed IoT devices.
- State-sponsored attacks and deepfakes with real-time high-powered AI resources.
- Sandbox-evading malware when included within another area of IT complexity.
- Common App store malware deployed by trusted sources, such as with Google.
- Crypto-jacking by an any day to day techie with an internet connection and a GitHub account.
- Drone-jacking by an any day to day techie with access to a secure radio and RF gadgets from the internet.
- Cloud computing memory-based compute and internal threat externalities, such as with AWS.
Most CTOs and CISOs, in their Zero-Day heart and mind, know this exact fact, that nowadays Zero-Days are perilous in this current modern IT stack model. As so on and on, these leaders accept these risks, avoid them as much as possible, and/or pass them off somewhere else like to an expense cybersecurity insurance policy or “industry” accepted PaaS solution.
Today’s technology owners, of critical systems and applications, are not capable of knowing everything cybersecurity related beforehand, like an all seeing crystal ball, nor may we rely on fancy big tech cybersecurity tools or PaaS be updated to the real-time moment to accept all these Vulnerability and Threat risks upfront, therefore combating Zero-Days.
In this way our tech stacks of today fail us all by being behind the chaos. Zero-Days are ubiquitous as much as the world wide web, and they are in front of the chaos.
Lets zero out Zero-Days together, by freeing technology stacks with better and more advance technologies.
No Sec Consulting and Think-Tank seeks to secure our future against cybersecurity waste and acceptance.