This is despite the fact that organisations are increasingly aware of the growing importance of firmware security as connected devices for a growing part of organisations’ hardware footprint, which includes devices that make up the internet of things (IoT).
Isaca’s Firmware security risks and mitigation, enterprise practices and challenges report highlights the importance of establishing robust security management controls and auditing practices for firmware, the hard-coded software frequently stored in read-only memory (ROM).
The research, which was based on a survey of 750 professionals with cyber security responsibilities in North America, Europe and Asia, demonstrates that adopting a security-first approach to how businesses view hardware lifecycle management, rather than treating it as a purely operational concern, is essential to mitigating security risk.
“We are seeing more that firmware security is no longer a theoretical problem,” said Justine Bone, director and CEO of healthcare security firm MedSec, who will discuss the topic and present the findings of the report at all three of Isaca’s Cybersecurity Nexus (CSX) conferences.
“The evidence is showing us attackers targeting firmware,” she said. “Many breaches and vulnerability discoveries these days can be attributed to firmware problems.”
Although solutions are emerging, most enterprise environments remain unprepared. “While it is clear that knowledge is power in this instance, it is also evident from this research that company culture and overall attitude to security is a major contribution to vulnerability,” said Bone.
Read more about firmware security
- Rogue Cisco IOS firmware could enable hackers to bypass all perimeter-level security controls, warns FireEye.
- Carmaker Jaguar Land Rover has developed an open source framework to enable remote firmware updates in-car entertainment systems.
More than half (52%) of the study’s participants who place a priority on security within hardware lifecycle management report at least one incident of malware-infected firmware being introduced into a company system, with 17% of these incidents having a material impact.
In contrast, those that do not prioritise security in the hardware lifecycle process have a high rate of unknown malware occurrences (73%). This indicates many vulnerabilities remain undetected and unpatched, creating security risks.
This lack of knowledge is having an impact on confidence too, with 71% of respondents in this category (low security priority) feeling unprepared to deal with a cyber attack.
To be able to address these weaknesses, the report said organisations need to foster increasing co-operation and communication between IT departments and audit professionals, and establish robust controls for hardware lifecycle management. The study shows that acting on feedback from the auditing teams is key to mitigating risk.
Patch management processes
According to the survey, 63% of the individuals who consider their organisations to be fully compliant with firmware audits reported higher levels of effectiveness of their patch management processes. On the other hand, more than half of those that did not receive any feedback (51%) in this audit category had no controls for firmware integrity monitoring and flaw remediation.
“With firmware maintenance being considered an operations function rather than a security concern, the chance for exploited vulnerabilities persists,” said Christos Dimitriadis, chair of Isaca’s board of directors and group director of information security for Intralot.
“It is time to underline the importance of firmware security in our risk assessments, and embed prioritised controls based on the threat model of each organisation, whether this includes espionage, transaction integrity loss or business disruption.”
The report notes several tips to prevent attacks on firmware for the enterprise:
- Wherever possible, look for manufacturers that allow the enterprise to independently validate the integrity of their devices (servers, network, storage, IoT).
- Segregate devices into trust zones that allow the organisation to operate trusted devices separate from untrusted or untrustable devices.
- Establish a firmware update policy.
- As continuous monitoring is paramount, acquire systems and technologies specifically for monitoring the integrity of devices via the network, leveraging trusted technologies such as trusted platform module (TPM).