by William Murray

Not so long ago, but in a different era, the rogue hackers were building tools to automate the creation of viruses and worms to exploit newly publicized vulnerabilities.  They boasted that these tools were enabling them to develop malicious code faster and faster and that soon they would be able to create an attack within twenty-four hours of the identification of a vulnerability. Thus was born the idea of the “zero-day” attack.  Note that “zero-day” is a term of art, that it modifies attack, and that it is relative to the identification of the vulnerability.  

While it is sometimes used to refer to a previously unknown vulnerability, the words have no meaning in that context. “Zero-day” relative to what?  To yesterday?  The term has lost its original meaning without gaining a new one.  It became an expression that, not only carried no meaning of its own, but confused the meaning of any terms with which it was used.  This aggravates the general problem in security that our terms of art, e.g. threat, attack, vulnerability, and risk are used without distinction, not to say interchangeably.  Multiple times a week I find myself parsing quotes about security in the media, in a sometimes vain attempt to figure out what the source intends.

(more…)