Survey findings reveal that most businesses don’t have comprehensive programs to tackle firmware security risks
An increase in connected devices as part of organisations’ hardware footprint, combined with increasingly inventive attack methods from cybercriminals, has brought firmware security into the spotlight. A new study from global business technology and cybersecurity association ISACA reveals that while organisations are increasingly aware of the growing importance of firmware security, most businesses don’t have comprehensive programs in place to address firmware vulnerabilities within their infrastructure.
Click to see the Firmware Security an Overlooked Threat infographic.
The study, Firmware Security Risks and Mitigation, Enterprise Practices and Challenges, highlights the importance of establishing robust security management controls and auditing practices for firmware, the hard-coded software frequently stored in Read-Only Memory (ROM). The research demonstrates that adopting a security-first approach to how businesses view hardware lifecycle management, rather than treating it as a purely operational concern, is essential to mitigating security risk.
“We are seeing more and more that firmware security is no longer a theoretical problem,” said Justine Bone, Director and CEO, MedSec. “The evidence is showing us that attackers are targeting firmware—many breaches and vulnerability discoveries these days can be attributed to firmware problems. Solutions are emerging, but most enterprise environments remain unprepared. While it’s clear that knowledge is power in this instance, it’s also evident from this research that company culture and overall attitude to security is a major contribution to vulnerability.”
More than half (52%) of the study’s participants who do place a priority on security within hardware life cycle management report at least one incident of malware-infected firmware being introduced into a company system, with 17% of these incidents having a material impact. In contrast, those who do not prioritise security in the hardware life cycle process have a high rate of unknown malware occurrences (73%). This indicates that many vulnerabilities may remain undetected and unpatched, creating security risks. This lack of knowledge is having an impact on confidence too, with 71% of respondents in this category (low security priority) feeling unprepared to deal with a cyber-attack.
Co-operation is key
To be able to address these weaknesses, organisations need to foster increasing cooperation and communication between IT departments and audit professionals, and establish robust controls for hardware lifecycle management. The report findings reveal that acting upon feedback from the auditing teams is key to mitigating risk.
According to the survey, 63% of the individuals who consider their organisations to be fully compliant with firmware audits, reported higher levels of effectiveness of their patch management processes. On the other side, more than half of those who didn’t receive any feedback (51%) in this audit category had no controls for firmware integrity monitoring and flaw remediation.
“With firmware maintenance being considered an operations function rather than a security concern, the chance for exploited vulnerabilities persists,” said Christos Dimitriadis, Ph.D. CISA, CISM, CRISC, chair of ISACA’s Board of Directors and group director of Information Security for INTRALOT. “It is time to underline the importance of firmware security in our risk assessments and embed prioritised controls based on the threat model of each organisation, whether this includes espionage, transaction integrity loss or business disruption.”
The report notes several tips to prevent attacks on firmware for the enterprise:
- Wherever possible, look for manufacturers that allow the enterprise to independently validate the integrity of their devices (servers, network, storage, IoT).
- Segregate devices into trust zones that allow the organisation to operate trusted devices separate from untrusted or untrustable devices.
- Establish a firmware update policy.
- Because continuous monitoring is paramount, acquire systems and technologies specifically for monitoring the integrity of devices via the network, leveraging trusted technologies like Trusted Platform Module (TPM).
More information on the firmware report and a firmware security assessment for enterprises can be found at www.isaca.org/firmware.
Survey Methodology
The ISACA Firmware Security Risk and Mitigation Report is based on surveying of 750 professionals with cyber security responsibilities, representing organisations with operations in North America, Europe and Asia.
About ISACA
ISACA (www.isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.
Twitter: https://twitter.com/ISACANews
LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Facebook: www.facebook.com/ISACAHQ
