It is important for every business to have software called “firmware.” This is software that is made for specific hardware, like hard drives, USB, or UEFI. Every computer and smart device is made up of a lot of these parts, and hardware security flaws are real and getting worse. (fortinet network security)
Forrester Research found that 63% of businesses had one or more data breaches because of flaws in firmware or hardware in the past year. People in the security field may not know everything about firmware security, but it’s their job to know how important it is.
It’s becoming more common for business leaders to ask their security team smart questions about security, including about firmware. But security professionals often make one of five common excuses when they do this.
One: “Bad actors need to be able to get into the network in order to do that.” (fortinet network security)
It is not true that bad people need to be able to get into networks in order to do so. Physical tampering is one of the most well-known ways to break into a computer’s software. It isn’t the only way.
Another way to get into a data centre is through supply chain attacks, where manufacturers or people who deliver systems could change the firmware. Unknown implants could stay in a data centre for decades.
Hackers can also attack applications or systems from afar to get into the firmware and use it for sabotage or to keep an eye on you. Malicious actors can also get into some parts of the firmware on the internet in the same way that applications can.
Two: This isn’t the only reason: “The supply chain process is already safe.”
Companies that use supply chain processes often have security checks to make sure data is correct, software vulnerabilities are managed, incidents are handled, and more. However, it’s not very common for security teams to check and make sure that the firmware and hardware are safe during the supply chain process. This means that attackers can not only get into hidden backdoors but also keep them open while the cybersecurity team doesn’t know about them, which gives them a chance to do both.
Insider threats are real. Recently, a black hat hacker tried to get a Tesla employee to install malware for $1 million, but the employee turned him down. Anyone who works for a company, especially one that has important secrets, should take this very seriously.
Three: “The firmware is already safe.”
No one should think that their software is already safe because it is a work in progress. Keep track of the steps you’ve taken to find and deal with threats, then assume there are more that you haven’t thought of and keep looking.
Firmware flaws can be found in almost any part of a device or system. They often show up in security features like privileges and access control, and they are often found too late. Organizations need to put in place regular patching practises to make their systems more secure. If they don’t, hackers will be able to get into their systems more easily.
Excuse number four: “There are other things to do first.”
During COVID-19, security teams and budgets were under a lot of stress. It might have been tempting to put firmware security on the back burner and focus on things like moving patching programmes to the cloud.
In the last few years, the majority of attacks have been on applications or operating systems, and the number of cyber-criminals who had a lot of experience with firmware was small. However, more research is being done that shows that hackers are getting more and more interested in exploiting flaws in firmware.
If businesses keep not paying attention to the importance of firmware security, they are either ignoring or accepting the risks that are always getting bigger. Security leaders need to make changes to their risk and threat management programmes so that firmware and supply chain security are included.
When someone says “firmware attacks,” you can say “no, they’re not real.”
People have been hacked by software. There is no doubt about that. It’s been a lot more common for bad people to use firmware backdoors to get into computers since the Shadow Brokers started doing this in 2013. This includes both commercial hackers and people who aren’t hackers.
Security monitoring at this level isn’t very good, which means there’s likely a lot more going on behind the scenes than people know about and report.
Security teams should say and do things that will help them
When I talk to business leaders about firmware security, I often use a common analogy that everyone can understand: home security. Thieves might as well say, “Welcome to my house.”
As far as firmware safety goes, there’s no difference between the two. Ask yourself, “Did I fix that vulnerability?” just as much “Did I lock the front door?” Security teams should use a “Zero Trust” policy when it comes to firmware. They should also keep an eye on critical servers and scan devices that have been in untrusted environments. Make sure you also follow basic security rules.
If organisations don’t lock down the firmware, hackers could get in through the back door and get IP and customer data if they were not careful. Lack of security in the firmware is not a good reason to not have it.