Attacks against firmware are snowballing, outstripping many organizations’ cyber-defenses, according to a survey from Microsoft. The report showed that more than 80 percent of enterprises have experienced at least one firmware attack in the past two years – but only 29 percent of security budgets goes to firmware security.
Firmware, a class of software that provides the low-level control for a device’s specific hardware, is last on the list for security-protection investment. The study – which polled 1,000 enterprise security decisionmakers in China, Germany, Japan, the U.K. and the U.S. – showed that most security investments are going to security updates, vulnerability scanning and advanced threat-protection solutions.
“Yet despite this, many organizations are concerned about malware accessing their system as well as the difficulty in detecting threats, suggesting that firmware is more difficult to monitor and control,” according to the report, released this week. “Firmware vulnerabilities are also exacerbated by a lack of awareness and a lack of automation.”
Firmware, a Growing Malware Conduit
Firmware has become an attractive target for cyberattackers because this is the area where sensitive information like credentials and encryption keys are stored in memory, Microsoft explained.
And, visibility is an ongoing issue: A full 21 percent of decisionmakers admitted that their firmware data goes unmonitored today.
“Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel,” according to the analysis. “And attackers have noticed.”
So, perhaps it’s no wonder that the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has shown a better than five-fold increase in firmware attacks since 2017.
Yet even amongst this cacophony of attacks, the survey shows that most decisionmakers believe that software is three times as likely to pose a security threat versus firmware.
“There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it,” Azim Shafqat, partner at ISG and former managing vice president at Gartner, said in the report.
Dangers of the OS Kernel
The survey found that only 36 percent of businesses have invested in hardware-based memory encryption – and less than half (46 percent) are investing in hardware-based kernel protections.
“Hardware-based security features such as kernel data protection or memory encryption, which blocks malware or malicious threat actors from corrupting the operating system’s kernel memory or from reading it at runtime, is a leading indicator of preparedness against sophisticated kernel-level attacks,” according to Microsoft.
The survey also found that security teams are more focused on detection and incident response rather than prevention of firmware attacks; only 39 percent of security teams’ time is spent on the latter.
“Part of the disconnect may be due to security teams being stuck in reactive cycles and manual processes,” according to the report. “The vast majority (82 percent) of … respondents reported that they don’t have the resources to allocate to more high-impact security work because they are spending too much time on lower-yield manual work like software and patching, hardware upgrades, and mitigating internal and external vulnerabilities.”
This is related to a lack of automation; survey respondents overall said they are spending 41 percent of their time on firmware patches that could be automated. And, a full 71 percent said their staff spends too much time on work that should be automated, which is a number that balloons to 82 percent among the teams who said they don’t have enough time for strategic work like preparing for sophisticated threats like those targeted at firmware.
Firmware Security Investment Improves
The good news is that a growing awareness of firmware risk is driving a willingness to invest in protections.
For instance, 95 percent of Chinese organizations said they were willing to invest in firmware protections; 91 percent of businesses in Japan, the U.K. and the U.S. say the same; as do 81 percent of the German companies surveyed.
The survey also found that 89 percent of regulated industry companies felt willing and able to invest in advanced security solutions, with the financial services sector lagging slightly behind.
“Those that do make the right investments are seeing returns, and surveyed organizations that made a real investment in security saw a big payoff,” according to Microsoft. “Almost two-thirds (65 percent) of decisionmakers reported that investing in security increased efficiency throughout their organizations because it freed up [security operations] teams to work on other projects, promoted business continuity, enabled end-user productivity, decreased downtime and saved on investments needed elsewhere.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)