Firmware – The New Target

I understand the stress of information security management. The stakes are high, our methodologies are continuously questioned and evolving—and rightly so. And yet our customers/stakeholders/employees/executives/families wonder why we haven’t solved that whole cyber security thing yet.

My goal in this post is to highlight an area of vulnerability management that is still around the corner, for some. Think of this as a heads-up. I’ll be speaking about this topic—and releasing brand-new data from ISACA at the upcoming CSX conferences in Las Vegas, London and Singapore, in the hopes of relieving some of that stress and surprise, when what the researchers are doing now starts significantly impacting your security program.

A lot of what arrives on the desk of security and compliance managers starts in the labs of security researchers. You know, “hackers.” For those not familiar with the security research community—these are the reverse engineers, bug hunters, exploit developers and creators of penetration testing tools that raise the security bar for vendors. Finding problems is their day job.

Over the past couple of years, the security research community has been shifting gears and setting their radar on a new target: firmware. Once obscure, firmware and embedded device research is now becoming mainstream. This year at Black Hat Las Vegas, at least 20 percent of the presentations were in some way related to Internet of Things (IoT) and/or firmware security, and trainings relating to device compromise via firmware are getting more popular.

Why Focus on Firmware?
These researchers are responding to the growing numbers of systems and embedded devices powered by insecure firmware. These devices can be lucrative targets and the cost of compromise is relatively low.

Meanwhile, security and technology managers are already overworked just handling the basics: firewalls, endpoint security, intrusion prevention systems, access management, OS security; the list goes on. Solutions around firmware integrity monitoring are emerging, but many are not aware of the need.

Firmware: Easy to Pwn?
The security industry has made strides in making attacks on computers and servers more difficult; driving up the cost of attack by requiring advanced techniques to circumvent modern OS security mechanisms. Strong OS and hypervisor-level protections make systems less attractive targets, but not so much if the underlying firmware is left undefended.

There are a few fundamental reasons why firmware can make a realistic target:

• No upgrade path for firmware:  In contrast to software, firmware can be more difficult to update. Update policies may not exist; indeed, the ability to update may not even exist. Add to this the resiliency of these systems—literally devices that may sit around for decades. Changes in security requirements (e.g., updated encryption algorithms) may not be reflected in updated firmware. Even unsophisticated attack techniques are highly likely to work across outdated security mechanisms.
• Traditional methods don’t apply or can be side-stepped:  No matter how many layers of security are built into the OS, ultimately a system relies on the underlying firmware to boot and interact with hardware. Once firmware integrity is compromised, the other layers of protection may as well not exist. Attackers can bypass sophisticated security measures by directly targeting the firmware, which gets unfettered access to device functionality.
• Breaches are hard to detect:  Traditional protection systems do not monitor firmware integrity.
• The new Advanced Persistent Threat (APT):  Once a breach is detected, it is difficult to remediate. Malware can be cleaned up with antivirus or sandboxed on most systems, but a firmware compromise can persist and hide malicious behavior for months and years. Compromised firmware can also allow OS-level attacks to recur even after normal remediation actions are implemented.

The Internet of Firmware
Traditionally, firmware is associated with the BIOS on a PC, but embedded devices (a.k.a. IoT) rely on firmware in several of their components. We are not used to thinking of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. And they are out there by the billions: Not just in newfangled “smart” kickstarter projects for the home, but in mission- and life-critical devices used in factories, power plants, medical equipment and point-of-sale systems.

What to Do?
The role of firmware—across servers, network devices, mobile devices, storage systems, network devices and the IoT creates an abundance of targets that are coupled with surprisingly low barriers to entry for attackers. If an attacker owns the IoT, they own the future fabric of our existence.

So, this new area of focus for researchers is not a trend that will be changing any time soon. As firmware-based vulnerability moves from theory to reality, how is this scenario affecting what plays out in the enterprise? How is it addressed by compliance frameworks? How do we address these risks?

I hope you will join me as I continue to explore this topic at CSX 2016 North America 17-19 October in Las Vegas, CSX 2016 Europe31 October- 2 November in London, and CSX 2016 Asia Pacific 14-16 November in Singapore.

Editor’s note:  Justine Bone will be a keynote speaker at all three CSX 2016 conferences, presenting Mind the Gap: Analyzing Cyber Security Controls that Few Organizations are Implementing, and Why. An information technology and security executive with technical background in software security, risk management, information security governance and identity management, Bone spent more than 15 years working in the private sector for financial, news and information security companies, plus several years serving the intelligence community.

Justine Bone, Director and CEO, MedSec

[ISACA Now Blog]