When you read articles about breaches and security warnings, you may see the term “zero-day,” as in “zero-day attack,” or “zero-day exploit.”
Zero-Day refers to a system vulnerability that is unknown to IT security providers. A zero-day attack allows a cybercriminal to exploit the vulnerability to inject malware, steal data assets, or crawl through the network to find high-value targets.
Once security vendors learn of the vulnerability, they develop patches or workarounds sent out as software updates. It’s kind of a race, as crooks will look for unpatched systems to exploit until systems are updated.
A related term: CVE, followed by a string of numbers and hyphens. CVE stands for Common Vulnerabilities and Exposures, and it’s a program overseen by the non-profit MITRE Corporation. The U.S. Department of Homeland Security and its related agency, the U.S. Computer Infrastructure and Security Administration sponsor it.
The CVE program started in 1999 to bring common naming and organization to reports of software and hardware problems. Before CVE, each vendor of a product with a vulnerability would report it with their own naming style, causing confusion.
The CVE system brought organization and standardization to reports of vulnerabilities, and this naming system is now standard across the cybersecurity world.
When you become aware of a problem – say news reports about a breach or a huge, embarrassing exposure of data – if you investigate further, you will find a CVE number attached to it.
There’s a standardized process by which researchers report vulnerabilities to a “CVE Numbering Authority” – a software or hardware company, research firm, etc., which has agreed to specific terms of service and is certified to participate.
There are 153 CVE Numbering Authorities worldwide –the U.S. being home to 88 of them. As of late February, MITRE reported 149,726 CVE records or vulnerabilities discovered since 1999.
Unfortunately, cybercriminals only need one vulnerability to exploit and ruin you. And if it’s a “zero-day,” you may be out of luck!