• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Network   »   Vulnerabilities are a Cybercriminal’s Best Friend

Vulnerabilities are a Cybercriminal’s Best Friend

  • Posted on:March 21, 2018
  • Posted in:Network, Security, Zero Day Initiative
  • Posted by:
    Jon Clay (Global Threat Communications)
0

When discussions around the ways cybercriminals and hackers are able to compromise and penetrate an organization, it regularly leads to the use of exploits and exploit kits. Because all software can contain flaws and bugs, a threat actor only has to either find a new, undisclosed vulnerability (zero-day) or use the many vulnerabilities already disclosed and create a weaponized exploit to compromise a machine or device. This was true of the top threats in 2017 including WannaCry, Petya/Not-Petya, and the Equifax breach. Cybercriminals know that patch management is hard and many systems within an organization either haven’t been patched or cannot be patched due to obsolete software or vendor policies around managing devices. All of these pose critical gaps in organizations defenses, but the good news is there is an organization that has been on the forefront of supporting responsible disclosure of vulnerabilities that will ultimately protect organizations from both known and unknown exploits.

Trend Micro’s Zero Day Initiative, or ZDI, was founded in 2005 to encourage the responsible reporting of zero-day vulnerabilities to vendors by financially rewarding researchers through an incentive program. Today, ZDI is the world’s largest vendor-agnostic bug bounty program with more than 3,500 independent researchers around the world, in addition to the internal team, who submit previously undiscovered vulnerabilities found within a myriad of enterprise business applications including, but not limited to, Microsoft, Adobe, Apple, VMware, Oracle, and even SCADA/ICS applications which are used in many nations’ critical infrastructures. Through this program, ZDI is able to obtain and validate undisclosed vulnerabilities and work with the affected vendors to responsibly disclose the vulnerability. In most cases, the vendors ensure there is a patch available before the vulnerability is publicly disclosed. Two key annual events, Pwn2Own and Mobile Pwn2Own allow researchers to come together and submit their vulnerabilities for monetary incentives and to be awarded Master of Pwn. These events are another way to obtain new vulnerabilities which are then managed by ZDI and the vendors to provide patches to the public.

You may be wondering how can we (Trend Micro) say ZDI is the “world’s largest bug bounty program?” Don’t take our word for it – Frost & Sullivan published a report “Analysis of the Global Public Vulnerability Research, 2017” profiling many of the public vulnerability reporting agencies including ZDI.  Since 2007, ZDI has been profiled as the one program that has consistently reported not only the most vulnerabilities, but also the most critical vulnerabilities as well as the most reported to ICS-CERT. Some of the 2017 numbers from the report include:

  • 1,522 vulnerabilities publicly disclosed
  • 1,009 (66.3%) came through ZDI
  • 8% categorized as Critical or High Severity were disclosed by ZDI

What does this mean to the public and Trend Micro customers?  ZDI and its independent researchers are helping to ensure many of the vulnerabilities found within operating systems and applications used by enterprises and organizations with SCADA/ICS critical infrastructures have a patch available to apply when the vulnerability is disclosed. This allows these organizations to apply patches and ensure they are protected against any exploits that are created by the threat actors that may target them. But, for Trend Micro customers using TippingPoint products, it also means preemptive protection for these vulnerabilities through a virtual patch before the publicly disclosed patch is made available by the affected vendor. In 2017, pre-disclosed filters were available for customers ahead of a vendor patch on average:

  • 42 days before Microsoft bulletins
  • 63 days before Adobe bulletins
  • 72 days before all vendor bulletins

This minimizes the window of opportunity a threat actor has to create an exploit and utilized it in an attack before or even after a vendor has a patch available. Organizations can use virtual patching very effectively and ensure they are protected with minimal operational disruption. Protection against exploits and exploit kits is proactively enhanced through the world-class vulnerability research provided by ZDI.

For more information on ZDI and statistics from the Frost & Sullivan report, check out this infographic. To read the full Frost & Sullivan report, download here.

Please add your thoughts in the comments below or follow me on Twitter; @jonlclay

Related posts:

  1. 2016 Review of Vulnerabilities
  2. How to get Ahead of Vulnerabilities and Protect your Enterprise Business
  3. Zero Day Initiative: A 1H2018 Recap
  4. The Inside Scoop on the World’s Leading Bug Bounty Program

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.