Election Security Spotlight – Zero-day Exploits and Vulnerabilities

What it is

A zero-day exploit is a cyber attack that targets a flaw in a system before developers or the public are aware it exists. Zero-day exploits cannot be prevented because they are known only to the attacker. Attackers attempt to identify vulnerabilities through researching and probing systems. Once discovered, an attacker will share or sell the newly discovered vulnerability or begin designing an exploit to be used in malware or other attack vectors. Currently there are online markets that exist that sell the newest zero-day vulnerabilities. Once developers become aware of the vulnerability, they have to quickly notify users and fix the issue with a patch.

Why does it matter

Election officials should be aware of zero-day exploits and how to prepare for a possible compromise. Because they are discovered in secrecy, there is no way to preemptively prepare for them, but they are part of the overall threat picture and must be considered in risk management activities. Relationships with vendors also matter as they will typically be in the best position to provide information on mitigations prior to release of a patch, which systems may be impacted, how to minimize impacts before a patch is available, and patching once available. The exploitation of a zero-day vulnerability prior to public disclosure may result in significant impacts to an organization. As an example, the Stuxnet worm used an unknown zero-day vulnerability in a specific industrial control system. The attackers used this to compromise and cause catastrophic damage to an Iranian nuclear plant.

What you can do

Election offices can take steps to help mitigate damages through cyber hygiene best practices and a defense in depth strategy. For instance, anti-malware software that uses heuristic analysis focuses on how a file acts during its normal execution. Depending on the file’s actions, the anti-malware may classify the file as malicious. Network segmentation can help prevent spreading of zero-day infections. Additionally, considering zero-day vulnerabilities in a patch management policy will help deploy patches as soon as they become available. To help prevent the exploitation and sharing of zero-day vulnerabilities, software vendors may offer bug bounties to white hat hackers for reporting flaws directly to their developer teams in exchange for a reward. While resources may not be available to pay bounties, election offices should consider establishing coordinated vulnerability disclosure (CVD) policies, which create a guide to sharing information on and remediating vulnerabilities before disclosure to the public.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].