A hacker-in-chief from the National Security Agency (NSA) has explained that the consequences of zero-day vulnerabilities, which are undetected exploits that can create software problems, have been overstated by governments and security experts, since focus and persistence are also important when hacking a system.

Declarations from Rob Joyce, the NSA’s chief of Tailored Access Operations (TAO), come after the security agency have been considering the impact of attacks that can be deployed to harm machines and penetrate networks. Even the government has created dedicated teams that are in charge of detecting the complicated exploits.

Rob Joyce, chief of the NSA’s Tailored Access Operations (TAO). Credit: WIRED/Kim Zetter
Rob Joyce, chief of the NSA’s Tailored Access Operations (TAO). Credit: WIRED/Kim Zetter

“A zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves no opportunity for detection … at first,” wrote the cyber security website FireEye.

On Saturday, Rob Joyce said at the USENIX Enigma security conference, that even when zero-days vulnerabilities are important, their consequences have been exaggerated. He added that persistence and focus are the only elements needed for a hacker to get into a system, and that exploitation can be achieved without the zero-days. Also, other vectors can be easier, productive and can present less risk when comparing it to the route of zero-days attacks.

According to Joyce declarations, NSA’s efficiency is not based on some secret bugs and the use of zero-days attacks, he explained that other simple things such as patience are essential, and that’s the reason why it is called “Advanced Persistent Threats”, since the team waits patiently until they have an open door that allows them to finish the mission.

The Internet of Things and the safety of networks  

The role of the Internet of Things (IoT) was also discussed at the security conference by the NSA’s hacker. Mr. Joyce explained that when it is time to target a cyber-attack, some cooling and heating systems which are connected to the internet can provide the TAO team a good way for getting into systems, since usually network administrators are not constantly creating security measures for internet-connected devices such as the mentioned.

The safety of U.S. networks can also be affected by IoT devices, said Joyce, since every day more and more devices are being added to giant networks that manage an infinite amount of data. According to Juniper research, by 2020 there will be around 38.5 billion connected devices, other analysts such as Gartner calculated that the number will reach up to 25 billion devices.

That being said, the protection of IoT systems must be taken into account by network administrators. Jim Tully, vice president at Gartner said in a press release last year that by 2020 the impact of such devices will be huge.

“Connected things for specialised use are currently the largest category, however, this is quickly changing with the increased use of generic devices. By 2020, cross-industry devices will dominate the number of connected things used in the enterprise. Aside from connected cars, consumer uses will continue to account for the greatest number of connected things, while enterprise will account for the largest spending,” he added.

Source: Tech Times