Microsoft warns businesses are not taking firmware attack threat seriously enough

By Carl Brown2021-04-08T07:35:00+01:00

No comments

Businesses are not paying close enough attention to firmware attacks, Microsoft has warned, following research showing the scale of the problem.

The March 2021 Security Signals report commissioned by Microsoft and produced by research agency Hypothesis found 83% of businesses polled had experienced at least one firmware attack in the past two years. The report showed however 29% of security budgets are allocated to the problem and Microsoft says this shows “attacks against firmware are outpacing investments targeted at stopping them”.

Firmware refers to permanent code that controls hardware components of PCs which sits in a layer below the operating system and does not have the protection of the cloud. Malware can be designed to tamper the code in motherboards or hardware drivers.

The attacks are much more complex to pull off than other types of cyber-attacks and tend to be made against larger companies. The National Institute of Standards and Technology (NIST), an agency within the US Department of Commerce, has recorded a five-fold increase in attacks against firmware in the last four years.

In a blogpost, Microsoft said: “Cybersecurity threats are always evolving, and today we’re seeing a new wave of advanced attacks targeting areas of computing that don’t have the protection of the cloud.

“New data shows that firmware attacks are on the rise, and businesses aren’t paying close enough attention to securing this critical layer.”

The Security Signals report however reveals that firms are investing in several firmware security projects, with advanced threat protection, security updates, vulnerability scans and security assessment and authentication the main areas invested in.

The top concerns about firmware cited by respondents are malware gaining full access to systems, the difficulty of detecting firmware threats, the loss of sensitive keys or data, and vulnerabilities introduced in the supply chain.

Organizations that reported experiencing a firmware attack are more likely to consider hardware and firmware security to be critically important.

The National Institute of Standards and Technology (NIST), an agency within the US Department of Commerce, continually updates a National Vulnerability Database (NVD) with new security flaws.

The database has recorded a five-fold increase in attacks against firmware in the last four years.

Microsoft said however that there is a “new willingness to invest in protections, and an emerging class of secured-core hardware is showing the potential to empower organizations with chip-level security and new automation and analytics capabilities.”

Register to receive the latest cyber security news and analysis straight to your inbox

Topics

No comments

Article
US utilities struggling to meet demand of energy-thirsty AI

2024-04-19T11:53:00Z

In the US, demands for power are outstripping availability as energy-thirsty technologies such as generative AI pile pressure on national electrical systems.
Article
Banks poised for increased risk due to AI

2024-04-19T09:06:00Z

A leading banking regulator has issued a stern warning over the risks that financial institutions face as they move to integrate artificial intelligence (AI) and machine learning (ML) into governance operations.
News
Chicago Gears Up for GRC Connect: Sharpen Skills, Network, and Navigate the Future of GRC

2024-04-15T11:39:00Z By Jonathan Sumner, Chief Digital & Marketing Officer, GRC World Forums.

Get ready, Chicago! GRC Connect kicks off tomorrow, bringing together the brightest minds in governance, risk management, and compliance (GRC) for two days of insightful learning, valuable networking opportunities, and expert guidance on navigating the ever-evolving GRC landscape.