A zero-day threat is defined as a vulnerability unknown to the rest of the world; there is no patch and there is no defense. On the flip side, once these vulnerabilities are discovered and a patch is available, it is best described as an N-day vulnerability. Everybody knows about it, and there are potential defenses. Unlike zero-days, which are fairly rare, N-day threats are more common.

N-day flaws are highly sought after by attackers because the hard work of uncovering the flaw has already been done. Once the vendors admit there is a technical fault and start the process for repair, attackers are able to write and deploy exploits. With countless numbers of N-day vulnerabilities out there, entities ranging from small companies to secure government organizations are left exposed. Certain industries are even more prone to attack because their systems are difficult to patch and remedy. These include organizations that rely on Industrial Control Systems (ICS), such as the manufacturing, infrastructure, and energy sectors. Within these industries, patching is difficult due to the slow-moving supply chain and the possibility that multiple vendors link back to the original manufacturer who identified an N-day threat. In many cases, the subsequent vendors are not even aware of the vulnerability because the reach of the initial product extends so far.

There are many real-world cases of N-day threats. A recent example includes the CrashOverride, or Industroyer, a very dangerous case of ICS malware. This malware was utilized in an attack which took place in December of 2016, causing the disruption of operations at a Ukrainian electrical transmission substation. The security breach resulted in a regional power outage as it targeted critical infrastructure in the region. In these cases, patches simply aren’t an effective way to approach the security issues.

In fact, with so many N-day flaws out there, patches will never come quickly enough. The best solution when it comes to the ICS environment is to ensure there is strong intrusion detection and mitigation in place in order to shield against known and potentially unknown attacks, as opposed to relying on frequent updates. Additionally, it is important to utilize the following best practices:

• Use multi-factor authentication whenever possible.
• Encrypt everything: at rest and in flight.
• Adopt robust intrusion detections.

What precisely do these actions mean in detail?

Multi-factor authentication is exactly what it sounds like: a way to confirm the identity of a user that requires more than one form of evidence that they are the intended user before permitting access. This involves asking for information only the user would possess, which includes:

• Something you know: This utilizes knowledge of something such as a password, PIN, or phrase.
• Something you have: This may involve an RSA token device, smart card, key fob, or cellular device with mobile authentication.
• Something you are: This involves biometric measures such as a fingerprint or retina scan, facial or voice recognition, or other unique physical identification.

Encryption involves translating data into another form. In the event that someone intercepts or steals the data, they are unable to access it without a decryption key or password. Encryption is one of the most effective methods of maintaining data security because cybercriminals would not only have to penetrate an organization’s systems to gain access to confidential information, but they would then also have to decipher it. Encryption at rest simply refers to encrypted data that is stored on a device, as opposed to in flight where it is transmitted from one device to another via an external drive, email, and so on.

Finally, as opposed to being reactive to an N-day threat, which could result in serious security repercussions for organizations, it is imperative that companies utilize strong intrusion detection systems (IDS). Current available systems not only detect threats, but they also block them.

As with any type of cyberthreat, it is critical that organizations take a more proactive approach, instead of waiting for the next cybercrime to occur before they take action.