Cybercriminals prey on soft spots. They’re constantly on the lookout for systems’ weakest links, those vulnerable targets they can catch off-guard and exploit without being detected immediately. That’s why they’ve set their sights on server firmware as their next frontier – largely because “most businesses don’t have comprehensive programmes in place to address firmware vulnerabilities within their infrastructure”, says global business technology and cybersecurity association ISACA.
Even though firmware – hard-coded software regularly stored in Read-Only Memory – is becoming an increasingly appealing entry point for hackers, “only 13% of security professionals’ enterprises have fully implemented controls for firmware”, says ISACA.
The association’s 2016 study, Firmware Security Risks and Mitigation, Enterprise Practices and Challenges – based on surveying 750 international professionals with cybersecurity responsibilities – reveals that organisations are growing more and more aware of firmware security’s mounting importance. Yet, “only 8% of respondents feel their enterprise is fully prepared for firmware-related vulnerabilities and exploits”.
Firmware is also reported to be the latest threat to server security. Because security professionals have been hardening the data plane – home to the operating system and applications – hackers are changing tack in pursuit of softer targets. After all, low-security areas are their paradise.
One such hacker vector is to sneak in via firmware, beneath the data plane. Another is to corrupt firmware updates or upgrades as they’re happening – especially over wireless links. In this way, cyber-crooks can capture traffic and pilfer intelligence.
What makes server firmware particularly tempting for cyber-thugs, is that they know very well only server vendors can come to users’ rescue and add features to maintain a secure environment.
Some experts say there’s not much one can do, as antivirus programmes don’t scan computers’ firmware for malicious code. They believe firmware protection is very much in the hands of the hardware manufacturers, who they say should design firmware or firmware updates to be cryptographically signed, as well as add authentication capability to devices so these can be checked and the signatures verified. Hardware vendors could also provide users with a way to easily read their machines’ firmware, so they can monitor if anything has been altered since installation.
ISACA says: “Solutions regarding firmware security – such as using manufacturers that allow enterprises to independently validate the integrity of their devices – are emerging, but many security professionals and their enterprises aren’t aware of the need for preparedness.”
It recommends that organisations nurture close “cooperation and communication between IT departments and audit professionals, and establish robust controls for hardware lifecycle management”. If organisations act timeously on auditing teams’ warning signals, they could alleviate risk.
The ISACA study’s tips to prevent cyberattacks on firmware include:
- “Wherever possible, look for manufacturers that allow the enterprise to independently validate the integrity of their devices (servers, network, storage, Internet of things).
- Segregate devices into trust zones that allow the organisation to operate trusted devices separate from untrusted or untrustable devices.
- Establish a firmware update policy.”
For more on security solutions to protect your business against cyberattacks, contact us at Evolv Networks