Zero Days, Thousands of Nights : The Life and Times of Zero-Day Vulnerabilities and Their Exploits
Zero Days, Thousands of Nights :
The Life and Times of Zero-Day Vulnerabilities and Their Exploits
by Lillian Ablon and Andy Bogart
English | 2017 | ISBN: 083309761X | 133 Pages | PDF | 2.7 MB
The Life and Times of Zero-Day Vulnerabilities and Their Exploits
by Lillian Ablon and Andy Bogart
English | 2017 | ISBN: 083309761X | 133 Pages | PDF | 2.7 MB
There is an ongoing policy debate over whether the U.S. government—or any government—should retain so-called zero-day software vulnerabilities or disclose them so they can be patched. Those who have knowledge of a zero-day vulnerability may create “exploits”—code that takes advantage of the vulnerability—to access other parts of a system, execute their own code, act as an administrator, or perform some other action, but many worry that keeping these vulnerabilities secret can expose people who use the vulnerable software to malware attacks and other attempts to collect their private information. Furthermore, cybersecurity and the liability that might result from attacks, hacks, and data breaches using zero-day vulnerabilities have substantial implications for U.S. consumers, companies, and insurers, and for the civil justice system broadly.
To address this question, RAND obtained rare access to a dataset of information about zero-day software vulnerabilities and exploits. In this report, we explore the dataset using novel applications of traditional statistical methods to reveal a number of insights about the industry and establish some initial metrics regarding the life status, longevity, and collision rates of zero-day vulnerabilities and their exploits. We also touch on the labor time required to create an exploit. The results of this research provide findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, and inform ongoing policy debates regarding stockpiling and vulnerability disclosure.
This research could be valuable to a wide variety of stakeholders, chief among them policymakers making decisions about how to reduce the nation’s vulnerability while still maintaining robust options for cyber operations.