Written by Sergej Epp, Chief Security Officer, Central Europe, at Palo Alto Networks
Earlier in my career, when I was a cybersecurity leader at a global financial services firm, our chief operating officer asked me what seemed at the time an unusual question:
“How often do we patch our BIOS?”
The question wasn’t odd on its merits. As most PC users know, BIOS – acronym for Basic Input/Output System – is an integral part of any computer system, and keeping BIOS up to date is essential for both system performance and security. But at that time—more than a decade ago—the fact that our COO was asking took me by surprise. Even though she was not a techie, she understood that there are real business implications to having your firmware compromised.
Today, CEOs and board members realize they have a fiduciary responsibility to at least ask smart questions about cybersecurity risks such as firmware and supply chain security. Firmware is a software specifically designed for a piece of hardware, like hard drive, USB, or UEFI. Any modern computer system or smart device is built out of dozens of such components. Business leaders may not need or want to know about the deep technical issues of firmware security, but they’d better know why it’s important and how to understand the risks. It’s really no different from asking the CFO about impending quarterly financial results and not picking up clues that large inventory write-downs are imminent.
Hardware security vulnerabilities are real, and they are showing up more frequently. Forrester Research notes that 63% of organizations said they experienced at least one data breach in the past year due to hardware or firmware security vulnerabilities. These are openings that hackers, rogue nation-states and other cyber-attackers are just waiting to exploit. When business leaders read or hear about companies around the world having their systems compromised, they can use that occasion to ask the CISO or head of security operations what they are doing to identify and head off vulnerabilities.
If their response aligns with any of the following….watch out.
Excuse #1: Don’t worry, our firmware is secure. Unless your team can document exactly what they’ve done to identify and mitigate against firmware threats, you may be staring at a problem. Firmware vulnerabilities can be located in just about any system or device component. Unfortunately, most organizations do not have in place regular patching practices to clean up firmware, hard drives or other components, even after the wake-up call of Spectre and Meltdown vulnerabilities that afflicted most computers worldwide. This dramatically lowers the bar for hackers and creates an ideal environment for hidden and persistent backdoors.
The number of firmware vulnerabilities has skyrocketed in recent years. Security researchers believe that the total number of Common Vulnerabilities and Exposures (CVEs) is 7.5 times greater than what was documented just three years ago. Firmware vulnerabilities often show up in security features such as privileges and access control, and often are discovered too late. So, yes, you should worry about firmware, because it often isn’t managed at all.
Excuse #2: Firmware attacks are science fiction. It’s been said that denial of a problem is a very powerful and difficult thing for organizations to overcome. Firmware attacks are real, documented and dangerous. Since we have learned about some high-profile attacks from Edward Snowden and the Shadow Brokers, firmware attacks have increased from a wider range of bad actors. There are even commercial hacking organizations that use firmware backdoors as their main calling card. However, due to lack of security monitoring at this level, everything we know is likely only the tip of the iceberg.
Excuse #3: They can’t get in—Hackers need physical access to our hardware and firmware. It’s true that physical tampering is the most widely known type of firmware security attack. Consider the one whimsically named “Evil Maid.” We’ve all left our notebooks in our hotel room, even momentarily, while we go to the fitness center or grab something to eat. Hotel employees have been bribed to install a backdoor on a system left in a hotel room.
Another threat vector are supply chain attacks, where firmware can be manipulated either by the manufacturer or during the system delivery process. Without proper due diligence or patching process, such firmware implants could remain for decades in your data center without anybody noticing. All these firmware attacks can also happen remotely. Hackers could use remotely hacked applications or systems to exploit the firmware for more persistent surveillance or sabotage purposes. But it’s even more scary to see that some firmware components are reachable on the network or Internet in the same way as your applications.
Excuse #4: My supply chain process checks for security. Most organizations have supply chain processes that check for truthfulness, incident response, software vulnerability management and more. But organizations rarely implement checks to verify the integrity of firmware or hardware at various points in the supply chain. Consequently, attackers who are able to sneak into the supply chain processes get an easy play to maintain hidden backdoors under the surface of the cybersecurity team’s visibility. Insider threat is not a big problem for all organizations, but those that have some valuable secrets must take this seriously. The recent case of a hacker trying to recruit a Tesla employee with $1 million to install malware is a good example of this trend.
Excuse #5: I’ll get to firmware security after I take care of the basics. In this era of COVID-19 and budgetary pressures, this one is easy to understand. We all have to prioritize, so it’s tempting to put firmware security on the back burner until seemingly bigger issues such as cloud migration of patching programs are resolved. Until recently, the number of firmware cyberthieves with deep experience was fairly limited, with most exploitations focused on applications or operating systems. But with more research being published (and shared by bad guys), attackers have stepped up their efforts to exploit firmware vulnerabilities.
Not considering this attack surface at all is either ignoring or accepting the constantly growing risks for your organization. Looking at firmware attacks of the past can teach us some lessons in cybersecurity. But it’s best not to repeat the past. Organizations need to make firmware and supply chain security part of their risk and threat management programs.
It’s Like Securing Your Home
In order to help business executives and board members understand the importance of ensuring good firmware security, I like to use a metaphor we all know, understand and appreciate: Home security.
Common sense, and sometimes first-hand experiences, ensure that we don’t expect our homes to be secure if the doors and windows are wide open and our valuables are there in public display for anyone to grab. You might as well wave a banner that screams, “Hey thieves, come on in.”
Firmware security is the same way. You should Zero Trust your firmware. Implement continuous patching and configuration management. Monitor critical servers and scan laptops and smartphones that have been in insecure environments. Make sure to practice essential security hygiene.
It’s like: How many times have we asked ourselves when we left our house, “Did I lock the door?” So make sure to lock your doors, change insecure locks, install a motion detector and get your home a parabolic security camera.
If you don’t lock down your firmware, you can’t blame anyone when the attackers sneak in the back door and grab your organization’s intellectual property and customer data.