Professional Documents
Culture Documents
Abstract
In 2016, reports of ransomware, Internet of Things (IoT) attacks and increased
cyberespionage have dominated headlines. Yet many vulnerabilities are present in an
area not frequently addressed within the infrastructure of almost all organizations:
firmware. In addition, as IoT devices proliferate, firmware, operating system and app
functionality become wholly entwined; the differentiation starts to blur.
This study attempts to identify how many firmware attacks are occurring and what is
being done to reduce enterprise risk from attacks targeting firmware. The results
reveal many interesting findings that indicate positives and negatives for cyber
security professionals. The survey, which used multiple-choice and Likert scale
formats, was organized in five major sections:
Demographics Impact
Frameworks and standards Conclusions
Security management and controls
FIRMWARE SECURITY RISKS AND MITIGATION
1 Gross, Garrett; Juniper ScreenOS Backdoor Eavesdropping, AlienVault, 11 January 2016, https://www.alienvault.com/blogs/security-essentials/juniper-screenos-backdoor-
eavesdropping
2 Scholl, Derrick; Important Announcement about ScreenOS, Juniper, 17 December 2015, https://forums.juniper.net/t5/Security-Incident-Response/Important-
Announcement-about-ScreenOS/ba-p/285554
Description of the
1
FIGURE
Industry Representation
Survey Population WHICH OF THE FOLLOWING BEST DESCRIBES
YOUR BUSINESS INDUSTRY?
The populations invited to respond to the survey were
selected ISACA certification holders and members. Due to Utilities
Retail/Wholesale/
the nature of the survey, the targeted population consisted Distribution
of individuals who have cyber security job responsibilities. Transportation Technology Services/
Consulting
More than 750 individuals participated, of which 436 Education/
Student
indicated that their primary job function is cyber security
or information security. The data represented in this report Insurance
2
management while 21 percent are cyber security/information FIGURE
security practitioners. Geographic Representation
61 percent are employed in an enterprise with at least
1,500 employees.
PLEASE INDICATE THE REGIONS IN WHICH YOUR
While the norms of the sample population are interesting to COMPANY CURRENTLY OPERATES.
consider, it is important to note some of the characteristics of
respondents that are not in the majority. Among those
surveyed, respondents are employed in more than 20
industries (see figure 1) and have business operations in at
least four other major global regions (Latin America, Middle
East, Africa and Oceania) in addition to the majority areas
49
North America
% 38%
Asia
(see figure 2).
18%
Oceania
25%
33%
Latin
Middle
East
America
54% Europe
24%
Africa
Frameworks and
3
FIGURE
Prominent Frameworks
Standards PLEASE SELECT THE SECURITY STANDARD/
FRAMEWORK(S) YOUR COMPANY HAS ADOPTED
Security has no shortage of frameworks and standards. In fact,
FOR KEEPING CRITICAL SYSTEMS AND
respondents reported use of more than 20 distinct frameworks
INFORMATION SAFE.
or standards to manage risk to hardware and firmware within
the information security program.
Management
UK ICO Protecting Data
UK Cyber Essentials
GCHQ 10 Steps
While frameworks and standards are critical for effective
governance and management, policies and executive support FedRAMP
set the tone for the enterprise, critically aiding or weakening the
0% 20% 40% 60% 80%
effectiveness of the enterprise security program. That is true also
in the selection of infrastructure and the management process fully compliant on audits relating to firmware integrity
around it. Survey results show that in organizations where monitoring, validation or firmware flaw remediation
security is a high priority in the hardware life cycle report higher levels of effectiveness of their overall patch
approach, enterprises fare better in a few areas. Audit management processes and procedures. Likewise, figure
reports show that these enterprises have fewer audit findings 6 demonstrates that 51 percent of those who did not
in the area of firmware and are also more aware of their receive feedback in this audit category report that they
vulnerabilities. For example, data in figure 4 show that 69 have not yet implemented controls for firmware integrity
percent of enterprises that place a high priority in this area are monitoring, validation and/or firmware flaw remediation. Of
at least partially compliant and only 17 percent of that same that 51 percent, 34 percent have no plans to implement
group received no feedback at all on firmware controls. On such controls, leaving the firmware vulnerability open.
the other hand, none of the enterprises that indicated that
security is not a priority in the hardware life cycle management It does appear from the data that, in addition to audit
process reported being even partially compliant and a timing, the relationship with the audit team impacts the
whopping 67 percent received no feedback in their audit enterprises ability to prevent firmware attacks; as an
report of this critical attack surface. It is evident that, in example, only 10 percent of respondents who received no
many enterprises, hardware and firmware are being feedback from auditors on firmware controls felt mostly
overlooked from the beginning and through the audit prepared to respond to or mitigate firmware-based attacks,
process, leaving many unaware if systems are compared to 39 percent of those who were receiving
vulnerable or, worse, compromised. feedback and had minor deficiencies, as seen in figure 7.
The survey results demonstrate that audit timing is a key In addition to having better audit feedback with which to
variable in how enterprises are performing. As seen in move forward, the enterprises that place a high level of
figure 5, 63 percent of the individuals who report being importance on security in the overall approach to life cycle
management do a number of things differently from the
4
FIGURE
Compliance Audit Feedback Regarding Firmware
WHICH OF THE FOLLOWING CHOICES BEST DESCRIBE FEEDBACK YOUR COMPANY HAS RECEIVED VIA COMPLIANCE AUDITS
RELATED TO FIRMWARE INTEGRITY MONITORING, VALIDATION AND/OR FIRMWARE FLAW REMEDIATION?
100%
Fully Compliant,
No Deficiencies Exist
80%
Partially Compliant,
Minor Deficiencies
Exist
60%
Noncompliant, Material
Deficiencies Exist
0%
High Priority: Moderate Priority: Low Priority: Not A Priority: Unknown
Security Is a Key Security Is Considered Security Is Considered Security Is Not a
or Driving Criteria Among Other Key or but Is Not a Key Factor Consideration
Driving Factors
5
hardware life cycle management. For example, 84 percent FIGURE
of enterprises in the high level of security category
Firmware Audit Compliance
include firmware in the enterprises patch management and Effectiveness Correlation
system vs. only 49 percent of enterprises in the low level
of security category. Similar results occur relative to using Highly
Effective Substandard Unknown Total
Trusted Platform Module (TPM) management tools (67 Effective
percent vs. 40 percent). Finally, only 19 percent of companies Fully
who do not place a high level of importance in the overall Compliant, No 63% 29% 6% 2% 11%
Deficiencies Exist
approach to security in hardware life cycle management do
not use tools to detect and log changes in firmware vs. 62 Partially
percent of enterprises that place a low priority on security in Compliant, Minor 9% 78% 10% 3% 29%
Deficiencies Exist
hardware life cycle management (19 percent vs. 62 percent).
Noncompliant,
The enterprises that place priority on security in hardware life Material 0% 42% 58% 0% 8%
Deficiencies Exist
cycle management also monitor more hardware and firmware
than enterprises that do not. To the authors knowledge, this No Feedback
Received
study is the first to objectively capture self-reported Regarding
6% 56% 35% 3% 36%
firmware malware incidents from security professionals Firmware Controls
around the world. More than half (52 percent) of the
studys participants who do place a priority on security
Unknown 6% 62% 10% 22% 16%
within hardware life cycle management report at least
Total
one incident of malware-infected firmware being Respondents
55 256 97 25 433
introduced into a company system, and 17 percent
reveal that the incident had a material impact.
6
FIGURE
Firmware Audit Compliance and Control Implementation Correlation
Planning to Planning to
Fully Partially Implement Within Implement Within Not Planning to
Unknown Total
Implemented Implemented the Next 12 the Next 24 Implement
Months Months
Fully Compliant,
No Deficiencies Exist
57% 31% 6% 2% 0% 4% 11%
Partially Compliant,
Minor Deficiencies Exist
15% 67% 6% 6% 3% 3% 29%
Noncompliant, Material
Deficiencies Exist
0% 30% 18% 24% 27% 0% 8%
No Feedback Received
Regarding Firmware Controls
4% 22% 10% 17% 34% 13% 36%
7
FIGURE
Correlation Between Audit Feedback and Attack Preparedness
60%
Fully Prepared
50%
Mostly Prepared
40%
Partially Prepared
30 %
Unprepared
20 %
Unknown
10 %
0%
Fully Compliant, Partially Noncompliant, No Feedback Unknown
No Deficiencies Compliant, Minor Material Received Regarding
Exist Deficiencies Exist Deficiencies Exist Firmware Controls
When it comes to the respondents that plan to implement cycle also feel more confident that they are prepared to
firmware controls over the next 12 to 24 months, 30 percent respond to an attack at this layer. In fact, 71 percent of
say they have had firmware-malware introduced into corporate respondents in an enterprise that does not place importance
systems, with 11 percent saying at least one occurrence on security in hardware life cycle management feel unprepared
resulted in a material impact. Even among those who have no to deal with an attack at the hardware or firmware vs. just 5
plans to implement firmware controls, 11 percent say they have percent of the population that does prioritize security in overall
had firmware-malware introduced into corporate systems, with hardware life cycle management (see figure 10).
3 percent indicating at least one occurrence resulted in a
material impact (see figure 8).
8
FIGURE
Firmware Security Priorities and Attack Occurrences Correlation
100% Unknown
No Known
80%
Occurrences
Single Occurrence,
60% Immaterial Impact
Single Occurrence,
40% Material Impact
Multiple Occurrences,
20% Immaterial Impact
Multiple Occurrences,
Material Impact
0 %
9
FIGURE
Correlation Between Monitoring and Known Occurrences
Servers and/or
Server-based Platforms
5% 19% 9% 14% 45% 8% 64%
relationships with the audit team to ensure that awareness Some tips to prevent attacks on firmware for the enterprise include:
around firmware is audited and reported to help improve Wherever possible, look for manufacturers that allow the
overall asset protection. enterprise to independently validate the integrity of their
Additionally, the factor of importance of security in the devices (servers, network, storage, IoT).
enterprises approach to hardware life cycle management Segregate devices into trust zones that allow the
showed to be a leading variable in determining how well organization to operate trusted devices separate from
enterprises are managing the associated vulnerabilities with untrusted or untrustable devices.
firmware. The enterprises that place at a least a moderate Establish a firmware update policy.
priority on security within the life cycle monitor more devices,
feel better prepared to deal with an attack at the firmware Because continuous monitoring is paramount, acquire
layer and receive better feedback on their audit, enabling systems and technologies specifically for monitoring the
them to continuously improve. integrity of devices via the network, leveraging trusted
technologies like TPM.
While it is a positive indicator that overall governance is
improving enterprises security posture, there are still significant Some tips to prevent attacks on firmware for manufacturers
gaps in this area, including a significant number of enterprises include:
that are not monitoring for changes in enterprise firmware and Publish known good values of the firmware so customers
actually do not know whether they have had any successful can validate that they are running trusted code. Establish
exploits that have introduced malware into enterprise firmware. integrity mechanisms so customers can validate that
systems are operating as intended.
More than half of companies that place a priority on
security in the hardware life cycle reported at least Build in a capability for an auditable firmware update process.
one incident of malware-infected firmware introduced Disable unused hardware interfaces. Disable consoles or
into a company system, with 17 percent indicating the password-protect them.
incident resulted in a material impact. This is a wake-up
Protect bootloaders, which start the firmware when the
call to all organizations that this is a real risk that needs
device boots.
to be mitigated.
10
FIGURE
Security Prioritization and Preparedness Correlation
ISACA
ISACA (isaca.org) helps global Disclaimer
professionals lead, adapt and assure This is an educational resource and is
trust in an evolving digital world by not inclusive of all information that may
offering innovative and world-class 3701 Algonquin Road, Suite 1010
be needed to assure a successful
knowledge, standards, networking, Rolling Meadows, IL 60008 USA
outcome. Readers should apply their
credentialing and career development. own professional judgment to their Phone: +1.847.253.1545
Established in 1969, ISACA is a global specific circumstances.
Fax: +1.847.253.1443
nonprofit association of 140,000
professionals in 180 countries. ISACA Email: info@isaca.org
Reservation of Rights
also offers the Cybersecurity Nexus
www.isaca.org
(CSX), a holistic cybersecurity resource, 2016 ISACA. All rights reserved.
and COBIT, a business framework to
govern enterprise technology. Provide feedback:
cybersecurity.isaca.org/firmware
ACKNOWLEDGMENTS
ISACA wishes to recognize:
Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM,
Cybersecurity Working Group
CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA, Eddie Schwartz
GCIH, GSNA, GCFA, Merck, Singapore, Director CISA, CISM, CISSP-ISSEP, PMP,
WhiteOps, USA, Chair
Andre Pitkowski
CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA, Niall Casey
APIT Consultoria de Informatica Ltd., Brazil, Director Johnson & Johnson,
USA
Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP, WhiteOps, Stacey Halota
USA, Director CISA, CISSP, CIPP,
Graham Holdings, USA
Jo Stewart-Rattray
CISA, CISM, CGEIT, CRISC, FACS CP, Tammy Moskites
BRM Holdich, Australia, Director CISM, Venafi, USA
Rogerio Winter
Brazilian Army, Brazil