Problem solve Get help with specific problems with your technologies, process and projects.

Use patching to protect your network from threats

In the fourth installment of our series on zero-day threats, expert Tony Bradley explains how to protect your network in four ways: guard the perimeter, patch and protect, rapid response and containment.

This is the fourth installment in our series on containing zero-day threats.

Patching is an established routine for most organizations. IT directors and network administrators know that it is necessary to patch systems and applications on a regular basis to protect their networks against vulnerabilities.

More on zero-day threats
  • Harden your network services and contain zero-day threats

  • Define server roles, counterattack zero-day threats

  • Eliminate zero-day threats with virtual server technology
  • This is a good system for the flaws that are known. However, vulnerabilities that are discovered by the vendors themselves or by security researchers with a sound moral compass and strong ethics are typically not announced to the general public until the appropriate patch is developed and available. Sometimes, though, flaws are discovered by developers of questionable character, and those flaws are turned into attacks that can be used to exploit the vulnerability before the software vendor -- or the general public -- have any idea that a problem exists.

    These zero-day exploits -- so named because there is no notice given between the discovery of the vulnerability and the discovery of an active exploit of the vulnerability in the wild -- can take networks by surprise and wreak havoc on the enterprise. There are some fundamental steps you can take to proactively protect the network and minimize the potential for a zero-day exploit to impact your enterprise.

    1. Guard the perimeter. The concept of the network perimeter has deteriorated over time with the development of wireless networking and mobile devices. It is harder and harder to define what devices are inside the network perimeter and which are outside. But, the network perimeter should be protected by a firewall.

      The firewall should guard against unnecessary and unauthorized network traffic entering the network. Construct firewall rules and policies that allow the flow of business operations without reducing overall network security more than necessary. The ability for mobile and wireless devices to affect the network can be reduced by only allowing them to connect to internal network resources via an encrypted VPN tunnel.

    2. Patch and protect. By definition, if the threat is coming from a zero-day exploit, then no patch exists yet for the specific threat. However, having an effective, timely process for evaluating and deploying patches is a key to overall network security. It is also important to run an up-to-date antivirus program of some sort. Even though the specific threat may not yet be defined, antivirus software can often detect even unknown threats using heuristic detection, which provides at least some level of security.

    3. Rapid response. In a best-case scenario, your proactive security would be enough to protect against zero-day exploits impacting your network. The potential, however, still exists for a zero-day exploit to infiltrate your network undetected. If you have a well-configured intrusion detection or intrusion prevention system (IDS/IPS) in place, you'll be able to detect and act on any suspicious or anomalous activity. Regardless of how you are notified of a threat to your network, have well-defined policies and procedures for incident response, including clear steps for executing them as well as established roles and responsibilities.

    4. Contain the threat. One final part of minimizing the impact of a zero-day exploit on your network is to have some means of containing the threat so it's unable to spread and cause more damage throughout your network. By using virtual LAN's (VLANs) or other methods of segregating network traffic, you can establish a means for limiting the damage to a specific LAN segment and contain the threat before it spreads to the rest of the enterprise.

    About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is recognized by Microsoft as an MVP in Windows Security, and he is the Guide for Internet / Network Security, providing a broad range of security tips, advice and reviews. Bradley is co-author of Hacker's Challenge 3 and author of Essential Computer Security. He contributes frequently to other industry publications. For a complete list of his freelance contributions, visit

    Dig Deeper on Enterprise desktop management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.