Election Security Spotlight – Zero-day Exploits and Vulnerabilities
What it is
A zero-day exploit is a cyber attack that targets a flaw in a system before developers or the public are aware it exists. Zero-day exploits cannot be prevented because they are known only to the attacker. Attackers attempt to identify vulnerabilities through researching and probing systems. Once discovered, an attacker will share or sell the newly discovered vulnerability or begin designing an exploit to be used in malware or other attack vectors. Currently there are online markets that exist that sell the newest zero-day vulnerabilities. Once developers become aware of the vulnerability, they have to quickly notify users and fix the issue with a patch.
Why does it matter
Election officials should be aware of zero-day exploits and how to prepare for a possible compromise. Because they are discovered in secrecy, there is no way to preemptively prepare for them, but they are part of the overall threat picture and must be considered in risk management activities. Relationships with vendors also matter as they will typically be in the best position to provide information on mitigations prior to release of a patch, which systems may be impacted, how to minimize impacts before a patch is available, and patching once available. The exploitation of a zero-day vulnerability prior to public disclosure may result in significant impacts to an organization. As an example, the Stuxnet worm used an unknown zero-day vulnerability in a specific industrial control system. The attackers used this to compromise and cause catastrophic damage to an Iranian nuclear plant.
What you can do
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact email@example.com.