Zero-day threats: indictors of compromise and patch management strategies
Published 25 January 2022
Warnings about the Log4j threat to the logging tool commonly used by systems running online services all over the world resulted in businesses scrambling to implement the latest patch for protection. This situation highlights the issue of zero day cyber threats – in some cases risks are known before the relevant patch is available to address them. So what can businesses do to position themselves to meet these challenges?
Zero day vulnerabilities can involve risks that have not been identified or those for which patches have not yet been developed, and present security exposures to hackers who can exploit them to attack business networks, The New Scientist reports. These types of attacks are using ever more sophisticated tools that are difficult to detect, and becoming more costly financially.
To defend themselves businesses need to be alert to any sign of unusual activity within their networks. Common indicators of compromise could include significant changes to inbound and outbound traffic or a spike in the volume of requests for the same file. Unusually high levels of web traffic might also be generated by artificial means and expressed through multiple login requests or increases in database read volumes, CrowdStrike warns.
It would be realistic for businesses to expect an ongoing flow of vulnerabilities and attacks so it’s recommended and expected by Insurers that there is a formal patch management process in place to protect, detect and defend against cyber attacks.
Top down cyber security forward planning essential
“Cyber security for businesses should involve a continuous, holistic approach to security and this should encompass the board position, the people education culture, the technical security controls and overall governance for resilience and recovery. It is only then you have strong management protocols for cyber risks,” says Gallagher Cyber/Tech Practice Leader Robyn Adcock.
“We recommend businesses implement and rely on endpoint detection and response (EDR) tools to continuously monitor for the type of activity that may indicate that they have been targeted by cyber criminals,” she says. “The aim should be to respond to the attack early to mitigate the effects.”
The first step is to instate a process for triaging emergency patching requirements according to priority. Then develop emergency patching protocols including the time frame for critical action, as well as a plan and schedule for standard patch application updates.
An effective plan should include as a minimum
inventory your systems – identifying all the software and hardware in your systems enables you to match known vulnerabilities to the relevant patches you need to apply
assign risk levels to your systems – the more exposed to attack something is, the higher the priority to patch it
consolidate software versions (and software itself) – multiple versions of software create a greater attack surface
keep up with vendor patch announcements – if you are using a third party product it pays to be conscious of their security updates
mitigate patch exceptions – if there are problems with applying the patch take alternative precautions to mitigate the risk while you’re finding a solution
test patches before applying universally – you can do this by trialling a new patch on a small subset of your systems
apply application patches as quickly as possible – don’t leave your proprietary systems open to attack, quickly address the vulnerability and update the software
automate open source patching – be conscious of the open source tools you’re using and use relevant automated tools to update unsafe versions.
How cyber insurers are responding to zero day threats
In this climate of heightened vulnerabilities and increasing incidence of attacks insurers are seeking greater detail of information about businesses’ system controls and risk management to minimise potential losses.
They are likely to ask about known vulnerabilities and how they are being addressed, if the business has been affected and what remediation measures were taken. Providing this information to insurance underwriters will have a bearing on key policy terms, limits offered, exclusionary language imposed and premium rates – and without it cover may not be available at all.
Access cyber risk management expertise
Our cyber security experts can assist businesses with addressing underwriter questions, strategies for improving cyber security vulnerabilities and obtaining optimal cyber insurance coverage.
Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective.