Zero-Day Attacks: Reducing Your Risk

The phrase refers to the first day that a new malware or intrusion vulnerability makes its appearance. Since traditional antivirus software works by identifying and protecting against known threats, it offers no protection against an attack that has never been seen before.

Typically, it takes several weeks after notification of a security vulnerability for a vendor to develop a patch. It then can take most organizations another 3 to 4 weeks to test and install the patch, starting on top level assets and systems and then moving on to lower-priority areas. So the total amount of time between vendor discovery of a vulnerability and customer installation of patches can range from 45 to 120 days. What you end up with is this block of time where the vulnerability is out there, people know about it, but one can find you’re totally unprotected.

Today, the value of zero-day exploits to online criminals is skyrocketing precisely because the attacks can break into up-to-date, well-maintained systems. While there is no way to guarantee you will never suffer a zero-day attack, there are steps one can take in advance to reduce that risk to a minimum.

Keep security up to date. Make sure that a firewall, either Windows or one from a third party, is running on your PC. Firewalls block malicious worms that could otherwise scan your computer for unpatched vulnerabilities and then try to break in at a weak point.

Enable daily automatic updates for Windows and other programs whenever possible. Patches won't help against zero-day incursions, but major vulnerabilities tend to remain targets even after the fixes are released, precisely because attackers know that many people don't bother patching.

Consider choosing antivirus programs or security suites that include heuristic and/or behavioral analysis to protect your PC against as-yet-unknown dangers. Apps that are designed to perform these types of analyses supplement the more traditional signature-based antivirus software, which by definition must be aware of a threat before it can protect against it.

If you are running Windows XP, use a preventive-measure program such as DropMyRights (the app modifies users' rights so as to remove an application's ability to make deep system changes) to supplement your antivirus software or security suite.

Consider host intrusion protection software (HIPS). HIPS does not rely on lists of definitions or signatures to block viruses. Instead, it identifies a threat by analyzing its behavior in your system, and uses rules-based monitoring to prevent such intruders from making unwanted changes. Be advised that installation can be difficult, require significant maintenance, and the need for a unique product for each OS and application within the network environment make host-based solutions expensive and, at times, impractical to deploy across an entire network.

Keep an eye on your systems. A sudden increase in unusual error messages could all be signals of a zero-day attack.

Keep an eye on security news. Monitoring security threat information on top of this information can help you stop a new threat before it does you any harm.

For the home or personal computer user, two products worth investigating adding to your software defenses are DriveSentry (Review) and ThreatFire (Review). Both are free for home use and have attained high recommendations.




Drive Sentry will check a computer process against several metrics.  The first check is a white list which will determine if the program is a known trusted program and not a virus.  Next, Drive Sentry will check the program  against updated signatures that are designed to detect specific viruses.  Drive Sentry will then utilize heuristics to discover any malicious behavior that the program is exhibiting.  Finally, Drive Sentry will use its community database, which is comprised of users actions from all of the drive sentry members, to determine if the software is again malicious.  Regardless of any way you look at this process, the software really utilizes a lot of separate security checks.  Best of all,  this whole virus identification process happens without the user even noticing a decline in computer performance.   In summary, Drive Sentry is an excellent pc security utility that can provide an additional layer of protection to any antivirus program.

Threat Fire is different from traditional antivirus because it doesn't  rely heavily on frequent signature updates.  Rather, the software is designed to enhance existing antivirus from zero day threats or new viruses that haven't been discovered.  This advanced protection is achieved by a new behavior engine that senses malicious programs and the unauthorized changes that they may attempt on your computer.  The program essentially has a list of rules relating to how all system processes are measured.  If a process violates one of these rules,  Threat Fire antivirus will automatically disable the program and quarantine it. 

One may question the accuracy of a automated system such as Threat Fire.  However, Threat Fire outperforms many people's expectations. In fact, the software has won an editors choice award from PC Magazine and even PC World.