Change is the only constant − a statement dating back to the ancient Greeks and used in almost every situation where changes are being made today is also true for the war on cyber crime.
Change is inevitable, new attack vectors are being discovered daily and almost always after the incident has taken place.
Looking to protect and secure their organisations, security decision-makers are tasked with crafting and implementing strategies that will ensure their companies operate and grow safely. But the question is: are they being given the correct information to develop and implement a comprehensive strategy?
A recent study commissioned by Microsoft showed that as part of their strategy, security teams are spending almost as much time on detecting and responding to threats as they are on preventing attacks.
The report also shows that attacks against firmware are outpacing investments targeted at stopping them. The Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets are allocated to protect firmware.
Microsoft says: “Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer to ensure attackers haven’t compromised a device prior to the boot process or at runtime below the kernel.”
The National Institute of Standards and Technology’s National Vulnerability Database has shown more than a fivefold increase in attacks against firmware in the last four years.
Organisations have to embark on strategic security planning, preferably with a dedicated team to track evolving risk and ensure all potential risks are covered.
This is not surprising, considering how rapidly cyber criminals can adapt and change their approaches. With cyber crime their sole business purpose, they will continue to look for the perfect gaps. In the past, they got in through patches and software, but with few organisations addressing the risks in firmware, it was almost inevitable that cyber criminals would target that area.
The Microsoft report notes that in addition to firmware attacks, there is growing concern about attack vectors exposed by hardware, such as the recent ThunderSpy attack which targeted Thunderbolt ports, leveraging direct memory access functionality to compromise devices via hardware access to the Thunderbolt controller.
Unfortunately, for many organisations in South Africa and globally, IT security teams are so busy handling day-to-day security management that there are few resources to dedicate to a proper risk strategy, in which the potential for attacks via firmware could have been foreseen and mitigated.
In the Microsoft Security Signals report, more than half of the decision-makers surveyed said their staff are too busy to spend enough time on strategic work. Instead, they are focusing on “table stakes” security issues such as software patches, hardware upgrades, and internal and external security vulnerabilities.
Challenged by a lack of resources and the global IT security skills shortage, most organisations are stuck in reactive cycles and are hard-pressed to keep up with ever-changing cyber attack modes. However, for the sake of business resilience, they must.
Organisations have to embark on strategic security planning, preferably with a dedicated team to track evolving risk and ensure all potential risks are covered. They must be constantly assessing the environment, carrying out vulnerability assessments and penetration testing – and they need to do so more frequently than once a year, as both the organisation and the risk environment are constantly changing.
Organisations can counter the challenge of security skills shortages by upskilling their in-house teams, or they should outsource these specialised services to experts. And in this environment of increased risk, they should become more demanding of the outsourced security service providers, looking for shared responsibility and risk models to give them the assurance that the service provider is genuinely looking after their interests.
Investments in security can also lead to improved efficiency. The majority of security decision-makers reported that security increases efficiency, freeing up security and IT teams to work on other projects and promote business continuity, and it safely enables end-user productivity.
Security also offers improved capabilities, such as enhanced data availability, confidentiality and integrity. Other benefits include proactive security, and regulation and compliance.
Share