One of my security predictions for 2017 was that we’d see a civilian casualty in the cyber cold war. Whether you realize it or not, nation states are participating in cyber offense. Many suspect (and recent leaks help confirm) that governments fuel their offense by stockpiling zero day vulnerabilities–security flaws in software that a vendor doesn’t know about yet. As my prediction mentions, I believe governments sitting on zero day vulnerabilities puts everyone at risk. If you don’t help fix a vulnerability, there is no telling when a “bad actor” might learn of the flaw and use it against your citizens.
That said, until recently no one had quantifiable data about how common zero day flaws were, how long they remained undiscovered, or how often two entities found the same flaw. In this video, I cover a new report from the RAND corporation that tries answers these and other questions. I don’t fully agree with all of the methodology and results from the report, but it does offer some interesting insight into zero day. Watch to learn more.
Episode Runtime: 6:26
Direct YouTube Link: https://www.youtube.com/watch?v=gVelJjVjkIM
EPISODE REFERENCES:
- RAND Corp’s Zero Days, Thousands of Nights report [PDF] – Rand.org
- Should the U.S. Stockpile Zero Day? – FCW
- Zero day have staying power – ThreatPost
Corey Nachreiner, CISSP (@SecAdept)
Leave a Reply