An increase in connected devices as part of organisations’ hardware footprint, combined with increasingly inventive attack methods from cybercriminals, has brought firmware security into the spotlight. A new study from global business technology and cybersecurity association ISACA reveals that while organisations are increasingly aware of the growing importance of firmware security, most businesses don’t have comprehensive programs in place to address firmware vulnerabilities within their infrastructure.
The study, Firmware Security Risks and Mitigation, Enterprise Practices and Challenges, highlights the importance of establishing robust security management controls and auditing practices for firmware, the hard-coded software frequently stored in Read-Only Memory (ROM). The research demonstrates that adopting a security-first approach to how businesses view hardware lifecycle management, rather than treating it as a purely operational concern, is essential to mitigating security risk.
“We are seeing more and more that firmware security is no longer a theoretical problem,” said Justine Bone, Director and CEO, MedSec, who will discuss the topic and present the findings of the report at all three of ISACA’s Cybersecurity Nexus (CSX)conferences, beginning this week at CSX North America in Las Vegas. “The evidence is showing us that attackers are targeting firmware—many breaches and vulnerability discoveries these days can be attributed to firmware problems. Solutions are emerging, but most enterprise environments remain unprepared. While it’s clear that knowledge is power in this instance, it’s also evident from this research that company culture and overall attitude to security is a major contribution to vulnerability.”
More than half (52%) of the study’s participants who do place a priority on security within hardware life cycle management report at least one incident of malware-infected firmware being introduced into a company system, with 17% of these incidents having a material impact. In contrast, those who do not prioritise security in the hardware life cycle process have a high rate of unknown malware occurrences (73%). This indicates that many vulnerabilities may remain undetected and unpatched, creating security risks. This lack of knowledge is having an impact on confidence too, with 71% of respondents in this category (low security priority) feeling unprepared to deal with a cyber-attack.
Co-operation is key
To be able to address these weaknesses, organisations need to foster increasing cooperation and communication between IT departments and audit professionals, and establish robust controls for hardware lifecycle management. The report findings reveal that acting upon feedback from the auditing teams is key to mitigating risk.
According to the survey, 63% of the individuals who consider their organisations to be fully compliant with firmware audits, reported higher levels of effectiveness of their patch management processes. On the other side, more than half of those who didn’t receive any feedback (51%) in this audit category had no controls for firmware integrity monitoring and flaw remediation.
“With firmware maintenance being considered an operations function rather than a security concern, the chance for exploited vulnerabilities persists,” said Christos Dimitriadis, Ph.D. CISA, CISM, CRISC, chair of ISACA’s Board of Directors and group director of Information Security for INTRALOT. “It is time to underline the importance of firmware security in our risk assessments and embed prioritised controls based on the threat model of each organisation, whether this includes espionage, transaction integrity loss or business disruption.”
The report notes several tips to prevent attacks on firmware for the enterprise:
- Wherever possible, look for manufacturers that allow the enterprise to independently validate the integrity of their devices (servers, network, storage, IoT).
- Segregate devices into trust zones that allow the organisation to operate trusted devices separate from untrusted or untrustable devices.
- Establish a firmware update policy.
- Because continuous monitoring is paramount, acquire systems and technologies specifically for monitoring the integrity of devices via the network, leveraging trusted technologies like Trusted Platform Module (TPM).