Cyber criminals are reaching deeper into the hearts of companies’ computing systems hardware as organizations strive to stay secure, says a report released by Dell Dec. 11.
And that’s led to companies now having to find ways to defend against hackers targeting computer operations below the operating system level.
The report, authored by Dell’s vice-president of security and client solutions David Konetski, says attackers are now reaching into the BIOS, or basic input/output system. When a computer boots up, the central processing unit communicates with that chip in the motherboard. The chip “acts as the gate to all the computer’s hardware and it gives the commands for how each piece of hardware is supposed to behave and interact,” the report said.
An attack on that hardware, firmware or silicon level can expose organizations to systemic damages,’ the report said.
But, the report said, a gap exists between organizations’ belief in prioritizing for attacks and actual perception of the risk posed by threats. This gap leaves companies open to attack and reveals “a lack of consistent preparation, education or ability to execute on hardware-level security measures.”
“Firms are not properly defending themselves, and thus, struggle against hardware-level security breaches year after year,” the report said.
And that leaves companies open to loss of sensitive data or financial loss as well as possible reputational damage.
The report, based on a survey of 307 IT, security, risk, and compliance decision makers by Forester Consulting, said 63% of companies experienced a data breach or compromise in the past 12 months due to an exploited vulnerability in hardware- or silicon-level security. Forty seven per cent reported at least two hardware-level attacks in the same period.
However, the survey found, while most organizations reported hardware security measures as a top security priority for the coming year, when queried about hardware-level defenses and supply chain protections, they admitted they weren’t prepared to address such vulnerabilities.
This gap between strategy and execution is exposing firms to potential risk,” the report said.
The survey found 63% of organizations recognize a moderate to extremely high level of exposure to hardware supply chain threats, yet only 59% have implemented a hardware supply chain security strategy. And, three in five companies see BIOS and firmware exploitations as very or extremely concerning, but only half feel the same about silicon-level vulnerabilities.
“The lack of a consistent security approach to hardware-level security breaches leaves organizations open to the risk of damage, including loss of sensitive data, financial loss and diminished competitive advantage,” the report said.
The key to blocking holes for potential breaches is the use of hardware security vendors, the report said. However, it added, only 28% of surveyed organizations are satisfied with their vendors’ hardware security management.
The report makes three key recommendations:
• Know what you buy and whom you’re buying it from. Know the supply chain that resulted in your hardware. “The origins and handling of these components and the finished products — notably who produced it and where — can make the difference between a trusted device free of tampering and one that contains a latent threat which may only surface once the endpoint is in use”;
• Have responses ready to enable the detection of BIOS and boot level anomalous activities to engage defenses against them; and
• Be aware that a contaminated BIOS can wreak havoc despite detection and defensive measures. Ensure use of validated and secure hardware and firmware from trusted vendors.