Firmware is everywhere; from the largest data center to the smallest networked LED light bulb. It is the most powerful code on any system because it controls how devices operate. Compromised firmware can be used to corrupt or steal data, spy on your environment or even destroy the system it is controlling.
Firmware is powerful code that persists from device restart to restart, sitting below operating systems and driver layers where it can fool anything else on the system – including existing security tools – into thinking everything is working fine. The problem is that very few people are paying attention to protecting the firmware.
Last year ISACA surveyed its IT security members to see what enterprises are doing about firmware security. The survey’s findings are alarming.
Here are a just a few:
- More than a 3rd of enterprises surveyed either are not doing anything about firmware, or just don’t know if they are or not;
- Over a 3rd of enterprises received no feedback about firmware controls during audits;
- Of enterprises that prioritized security as part of their hardware lifecycle management 52% said they had at least one incident of malware-infected firmware
Due to its ability to control hardware, cybersecurity exploits against firmware can have very serious real-world impact. Examples include the Ukrainian power grid attack in December 2015 and the recent reports that Apple “severed ties” with one of its server vendors after discovering compromised firmware in servers it was testing in its Siri development lab.
The risk of compromised firmware takes two forms: bad actors installing malware posing as legitimate firmware on systems, or original equipment manufacturers (OEMs) discovering vulnerabilities in their firmware and publishing updates. While we currently do not know the frequency of the first scenario, we do know that firmware vulnerabilities are announced by different OEMs on an almost daily basis. That is why all of the major cybersecurity and compliance frameworks include controls that dictate best practices around firmware patch management, and many of those same frameworks now include controls for continuous monitoring of firmware integrity.
In fact, firmware is covered by many Regulatory requirements to protect against “reasonably anticipated” threats.
So why do many organizations leave firmware out of their cybersecurity program?
Some are unaware that these controls exist and directly apply to them. Others mistakenly believe their existing security tools (e.g. AV or file integrity monitoring) already address firmware integrity and related controls. Still others understand the risk, but have lacked commercially available tools to effectively monitor firmware.
The reality is that regardless of your industry sector, if your aim is to follow cybersecurity and compliance best practices, then you do need to implement some sort of continuous firmware integrity monitoring solution. In that context, you should understand that traditional security tools do not address this space. Trapezoid’s Firmware Integrity Verification Engine (FIVE), however, is specifically designed to continuously monitor and alert on changes to the integrity of firmware in your infrastructure to meet those cybersecurity compliance controls.
If you are interested in learning more about this space, feel free to drop me a line at info@trapezoid.com. Or contact JohnsTek at https://johnstek.com for more information on Cyber Risk Management for your organization!
Author: José E. González, CEO & Co-Founder of Trapezoid
