A recent security post warned that firmware attacks are on the rise. They cited a survey of 1,000 cybersecurity decision makers at enterprises across multiple industries in the UK, US, Germany, Japan, and China finding that that 80% of firms have experienced at least one firmware attack in the past two years. However, only 29% of security budgets has been allocated to protect firmware. The solution for this, according to Microsoft, is secured-core PCs that provide “powerhouse protection out of the box, with capabilities such as virtualization-based security, Credential Guard, and kernel DMA protection.”
I’d argue that not only are these types of protections not needed for all workstations, that’s not where we should be focusing our resources. It might not even be why firmware updates are important. In addition, IT administrators, when asked what firmware attacks they’ve dealt with in the past year, say they think in terms of firewalls or VPN software that needed to be patched and not necessarily firmware of the computers in their network.
While some malware has used firmware vulnerabilities to gain network access, it’s usually combined with other attacks. For example, the Robbinhood ransomware used brute-forcing Remote Desktop Protocol (RDP) to gain access to the network. Once they had a foothold, they used a vulnerable kernel driver from Gigabyte.
Put your security budget where you will get the most bang for the buck. If you spend resources purchasing computers that have secure firmware, you will miss out on many more affordable solutions that can provide security fixes sooner versus later. Focus on risk-based security solutions, not those that protect against unusual attacks. Here are a few to consider: