The discussion of zero day attacks is filled with vendor claims and mis-information. The reality of zero days isn’t nearly as exciting as the news and vendors make it sound, but understanding the difference between the reality and the hype is critical for planning your cyber defense. In most uses the term ‘zero day’ has become an over used, no meaning marketing buzzword. Beside that it’s a very important concept and one that you need to understand if you are going to provide security.

A zero day is a vulnerability that is known by at least one person but hasn’t been reported publicly yet. When you think about it, it makes sense. Bugs are mistakes made when writing software, as such they are unknown until someone finds them. When a security researcher finds a bug (vulnerability) in software there are a number of things she could do with that information. She could contact the author of the software and notify them of the problem, she could sell the information to any number of commercial vulnerability vendors, she could sell it to a government or she could use it to break into systems hoping to steal information of value.

When planning your cyber defense you have to consider that applications have vulnerabilities you don’t know about but an attacker does. In planning your defenses you have to consider how to structure your applications so when an attacker breaks into a the first server they don’t have access to everything you are trying to protect. While it might sound like an impossible task system and network administrators have been planning for the unexpected failure for years.

An example would be a web application that you expose to the Internet to offer information and products to your customers. You store the data about these transactions in a database. You could put both of these components on the same server but when an attacker breaks into your web application they would also have access to the database. If you place the database on a separate server so when the attacker breaks into the web application they won’t immediately have access to the database . Of course it’s necessary to take precautions to know if an attacker breaks into the web application so you will be able to stop them before they get to the data in your database.