Firmware security: An overlooked threat
An increase in connected devices as part of organizations’ hardware footprint, combined with increasingly inventive attack methods from cybercriminals, has brought firmware security into the spotlight.
Firmware security priorities and attack occurrences correlation
A new study from ISACA reveals that while organisations are increasingly aware of the growing importance of firmware security, most businesses don’t have comprehensive programs in place to address firmware vulnerabilities within their infrastructure.
The study highlights the importance of establishing robust security management controls and auditing practices for firmware, the hard-coded software frequently stored in Read-Only Memory (ROM). The research demonstrates that adopting a security-first approach to how businesses view hardware lifecycle management, rather than treating it as a purely operational concern, is essential to mitigating security risk.
“We are seeing more and more that firmware security is no longer a theoretical problem,” said Justine Bone, Director and CEO, MedSec. “The evidence is showing us that attackers are targeting firmware—many breaches and vulnerability discoveries these days can be attributed to firmware problems. Solutions are emerging, but most enterprise environments remain unprepared. While it’s clear that knowledge is power in this instance, it’s also evident from this research that company culture and overall attitude to security is a major contribution to vulnerability.”
More than half (52%) of the study’s participants who do place a priority on security within hardware life cycle management report at least one incident of malware-infected firmware being introduced into a company system, with 17% of these incidents having a material impact.
In contrast, those who do not prioritize security in the hardware life cycle process have a high rate of unknown malware occurrences (73%). This indicates that many vulnerabilities may remain undetected and unpatched, creating security risks. This lack of knowledge is having an impact on confidence too, with 71% of respondents in this category (low security priority) feeling unprepared to deal with a cyber-attack.
Security prioritization and preparedness correlation
Co-operation is key
To be able to address these weaknesses, organizations need to foster increasing cooperation and communication between IT departments and audit professionals, and establish robust controls for hardware lifecycle management. Acting upon feedback from the auditing teams is key to mitigating risk.
According to the survey, 63% of the individuals who consider their organisations to be fully compliant with firmware audits, reported higher levels of effectiveness of their patch management processes. On the other side, more than half of those who didn’t receive any feedback (51%) in this audit category had no controls for firmware integrity monitoring and flaw remediation.
“With firmware maintenance being considered an operations function rather than a security concern, the chance for exploited vulnerabilities persists,” said Christos Dimitriadis, group director of Information Security for INTRALOT. “It is time to underline the importance of firmware security in our risk assessments and embed prioritized controls based on the threat model of each organization, whether this includes espionage, transaction integrity loss or business disruption.”
The report notes several tips to prevent attacks on firmware for the enterprise:
- Wherever possible, look for manufacturers that allow the enterprise to independently validate the integrity of their devices (servers, network, storage, IoT).
- Segregate devices into trust zones that allow the organization to operate trusted devices separate from untrusted or untrustable devices.
- Establish a firmware update policy.
- Because continuous monitoring is paramount, acquire systems and technologies specifically for monitoring the integrity of devices via the network, leveraging trusted technologies like Trusted Platform Module (TPM).