While zero-day exploits often dominate headlines, N-day exploits, which involve the use of long-standing and known vulnerabilities, may pose a significantly greater security risk to organisations.
N-day vulnerabilities offer virtually free-for-all access for multitudes of bad actors because they are known and listed on the Common Vulnerabilities and Exposures (CVE) database, explains William Petherbridge, systems engineering manager for Southern Africa at Fortinet.
“With zero-day attacks, patches or fixes aren’t available. With N-day vulnerabilities, there are patches, some of which have been available for months or years. Tools are readily available online to enable even ‘script kiddies’ to launch attacks on organisations using these common N-day vulnerabilities,” he says.
According to Petherbridge, there are thousands of vulnerabilities across legacy systems, forgotten systems and devices, and even modern systems which are still in use, but people have neglected to patch them.
He says: “There are systems in use which are long out of support – particularly in manufacturing operational technology (OT) environments. The problem with these manufacturing environments is OT networks were once relatively safe because they were air-gapped. However, OT-IT convergence means they are now exposed to the enterprise networks – which puts both at risk.”
Petherbridge suggests that organisations often delay or overlook patching schedules for several reasons: the sheer volume of patches, limited resources, and notably, the potential for disruption. Patching may require system restarts, application slowdowns, or unforeseen issues. If not performed correctly, it could even lead to data loss or corruption.
“This is an ongoing problem across technologies and vendors. Enterprises may delay patching because in a network with thousands of end devices and users, just deploying something without testing it and understanding the possible implications may be problematic,” Petherbridge says. “The sentiment is ‘don’t touch things that are working’. In OT networks, safety and uptime are top priorities, and they can’t afford any risks or disruptions.”
He adds: “There are hundreds of patches that never get loaded. This might also be due to a bad patch management programme, or simply due to IT fatigue.”
Prioritising patch management is essential for helping enterprises mitigate the most significant risks. “It becomes a question of risk balance–they need to think about whether the patches are for products they don’t use or where their exposure is low, what other protection measures are available, and what the vulnerability’s Common Vulnerability Score (CVS) score is. This helps them decide if they can wait for scheduled patching or if they should do emergency patching.”
The best defence is good security hygiene, including remediation guidance and timely patching, says Petherdridge. “In a perfect scenario, it is best to do it right away, but in reality, it depends on the risk assessment. Organisations need to consider how likely it is to be exploited right away and the impact of a compromise, compared to the impact of implementing the patch.”
With BYOD and remote environments where end users have their own laptops, tablets and cellphones, patching can be especially challenging, he notes. “Devices issued by corporates have mobile device management systems to control patches on end-user devices.
“However, when the company can’t control assets, they can segment the network and use Zero Trust network access (ZTNA) to control what type of data and access users get, and to prevent malware from spreading laterally in the network,” he explains.