Interesting article (part 1 / part 2) by Alan Shimel on the concept of the “Less Than Zero Day Exploit”.

From the article:

Once a vulnerability is publicly announced, the zero-day clock starts ticking. The announcement is typically followed by some period of time before a patch is made available. This is the Zero-Day period. According to accepted wisdom, organizations face the greatest danger when an attack or exploit targeting the vulnerability is verified in the “wild.”

Some believe this is a flawed argument. As evidence, they point to “underground” vulnerabilities and exploits that are equally as dangerous and much more difficult to detect and protect against because they are “unknown.” At StillSecure we call this class Less-Than-Zero Threat. The chart below shows the relationship between the Less-Than-Zero threat and the Zero-Day threat and the level of risk they pose to the organization. It also takes into account such factors as responsible disclosure, patch deployment, etc.

The conclusion:

Zero-Day, Less-Than-Zero, patching, exploits…the world is a dangerous place. While our attention has been focused by some security vendors and the press on the Zero-Day attack, the Less-Then-Zero threat is also significant enough to warrant your attention and resources. The reason you don’t hear a lot about this type of attack is because the majority of vendors don’t have a silver bullet to sell you for solving the problem. There is still no substitute for good, old-fashioned, best practices in security.

I completely agree with Alan’s final statement. No product is a substitute for security best practices.