Threats posed by zero-day vulnerabilities were ranked by global IT decision makers as their topmost security concern, according to a recent survey by security firm PatchLink.
Fifty-three per cent of respondents put zero day vulnerabilities as the No. 1 security concern, followed by hackers, cited by 35 per cent, and malware and spyware with 34 per cent. PatchLink surveyed 250 of its customers worldwide in June 2007, including CIOs, CSOs, IT directors and managers.
"The prospect of zero-day attacks is extremely troubling for organisations," research director for security products at IDC, Charles Kolodgy, said. "Today's financially motivated attackers are creating customised, sophisticated malware designed to exploit unpublished application vulnerabilities in specific applications before they can be fixed."
Many IT departments were spread thin and lacked the resources to proactively defend against zero-day threats, and attackers were using this to their advantage, Kolodgy said.
Hackers were also counting on the human element part of the security equation to help them accomplish their attacks, he said.
"User behaviour is difficult to control, and many hackers rely on users' lapses in judgment to carry out their malicious activity," Kolodgy said.
Controlling user behavior was cited by 32 per cent of IT executives as the primary challenge to vulnerability management.
PatchLink also asked IT executives to rank the application that they wee most concerned about protecting. Internet Explorer finished on top after being cited by 83 per cent of the respondents.
Various Internet security threat reports earlier indicated an increasing trend in attacks targeted towards Web browsers and Web applications, serving as an avenue to gain access to corporate networks.
"Those vulnerabilities are often used in 'gateway' attacks, in which an initial exploitation takes place not to breach data immediately, but to establish a foothold from which subsequent, more malicious attacks can be launched," Symantec's latest Internet Security Threat Report stated.
If successful, vulnerabilities in Web browsers and Web applications can enable an attacker to install malware and subsequently gain control of a compromised system.
Although 72 per cent of respondents to the PatchLink survey indicated that they are now more secure than a year ago, IT executives remain wary of other risks that are in the realm of the unknown, according to senior vice-president for Americas at PatchLink, Matthew Mosher, said.
"[IT managers] are now starting to look at more of these zero-day vulnerabilities because they don't necessarily think that they have a handle on that," Mosher said.
The PatchLink executive said the financial motivation driving hackers today had made IT executives more concerned about zero-day exploits.
President of Toronto-based IT security consultancy CMS Consulting, Brian Bourne, was surprised that zero-day vulnerabilities would concern many IT executives, as such exploits are typically used for targeted attacks. Such concern might be out of lack of a complete understanding on how to protect against these threats, he said.
Bourne recommendeda defense-in-depth strategy was still the right strategy for protecting against zero-day exploits.
He urged IT managers to subscribe to a vulnerability advisory list, so that they could get all updates on most recent zero-day discoveries.
"Get the information right away to find out if it impacts you," Bourne said, adding that the first step was finding out whether your company even ran that vulnerable software.
A good asset management system, which gave IT a clear indication of what software and hardware were running across the enterprise, would enable administrators to make a determination of whether they were vulnerable to a zero-day attack, he added.
Once it was determined that there was a risk, IT administrators could then make an effort to learn everything they could about the vulnerability, he said.