Limited Time Offer: Save up to 20% on a new CIS SecureSuite Membership | Learn more
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Election Security Spotlight – Zero-day Exploits and Vulnerabilities

What it is

A zero-day exploit is a cyber attack that targets a flaw in a system before developers or the public are aware it exists. Zero-day exploits cannot be prevented because they are known only to the attacker. Attackers attempt to identify vulnerabilities through researching and probing systems. Once discovered, an attacker will share or sell the newly discovered vulnerability or begin designing an exploit to be used in malware or other attack vectors. Currently there are online markets that exist that sell the newest zero-day vulnerabilities. Once developers become aware of the vulnerability, they have to quickly notify users and fix the issue with a patch.

Why does it matter

Election officials should be aware of zero-day exploits and how to prepare for a possible compromise. Because they are discovered in secrecy, there is no way to preemptively prepare for them, but they are part of the overall threat picture and must be considered in risk management activities. Relationships with vendors also matter as they will typically be in the best position to provide information on mitigations prior to release of a patch, which systems may be impacted, how to minimize impacts before a patch is available, and patching once available. The exploitation of a zero-day vulnerability prior to public disclosure may result in significant impacts to an organization. As an example, the Stuxnet worm used an unknown zero-day vulnerability in a specific industrial control system. The attackers used this to compromise and cause catastrophic damage to an Iranian nuclear plant.

What you can do

Election offices can take steps to help mitigate damages through cyber hygiene best practices and a defense in depth strategy. For instance, anti-malware software that uses heuristic analysis focuses on how a file acts during its normal execution. Depending on the file's actions, the anti-malware may classify the file as malicious. Network segmentation can help prevent spreading of zero-day infections. Additionally, considering zero-day vulnerabilities in a patch management policy will help deploy patches as soon as they become available. To help prevent the exploitation and sharing of zero-day vulnerabilities, software vendors may offer bug bounties to white hat hackers for reporting flaws directly to their developer teams in exchange for a reward. While resources may not be available to pay bounties, election offices should consider establishing coordinated vulnerability disclosure (CVD) policies, which create a guide to sharing information on and remediating vulnerabilities before disclosure to the public.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact elections@cisecurity.org.