Businesses are not paying close enough attention to firmware attacks, Microsoft has warned, following research showing the scale of the problem.
The March 2021 Security Signals report commissioned by Microsoft and produced by research agency Hypothesis found 83% of businesses polled had experienced at least one firmware attack in the past two years. The report showed however 29% of security budgets are allocated to the problem and Microsoft says this shows “attacks against firmware are outpacing investments targeted at stopping them”.
Firmware refers to permanent code that controls hardware components of PCs which sits in a layer below the operating system and does not have the protection of the cloud. Malware can be designed to tamper the code in motherboards or hardware drivers.
The attacks are much more complex to pull off than other types of cyber-attacks and tend to be made against larger companies. The National Institute of Standards and Technology (NIST), an agency within the US Department of Commerce, has recorded a five-fold increase in attacks against firmware in the last four years.
In a blogpost, Microsoft said: “Cybersecurity threats are always evolving, and today we’re seeing a new wave of advanced attacks targeting areas of computing that don’t have the protection of the cloud.
“New data shows that firmware attacks are on the rise, and businesses aren’t paying close enough attention to securing this critical layer.”
The Security Signals report however reveals that firms are investing in several firmware security projects, with advanced threat protection, security updates, vulnerability scans and security assessment and authentication the main areas invested in.
The top concerns about firmware cited by respondents are malware gaining full access to systems, the difficulty of detecting firmware threats, the loss of sensitive keys or data, and vulnerabilities introduced in the supply chain.
Organizations that reported experiencing a firmware attack are more likely to consider hardware and firmware security to be critically important.
The National Institute of Standards and Technology (NIST), an agency within the US Department of Commerce, continually updates a National Vulnerability Database (NVD) with new security flaws.
The database has recorded a five-fold increase in attacks against firmware in the last four years.
Microsoft said however that there is a “new willingness to invest in protections, and an emerging class of secured-core hardware is showing the potential to empower organizations with chip-level security and new automation and analytics capabilities.”
Register to receive the latest cyber security news and analysis straight to your inbox