Every 39 seconds there is a cyber attack affecting one out of three Americans. All organizations need to take proactive measures and think like the attackers that are infiltrating their networks.
Despite the fact that businesses around the world are deploying new cybersecurity tools to fend off these persistent attackers, cybercriminals are working around the clock to find new and improved ways to get around them and infect software and hardware.
Physical access requirements are a thing of the past. A somewhat recent example includes UEFI/BIOS implants, which were weaponized by nation-states and installed remotely by exploiting vulnerabilities in the underlying UEFI system. It’s a form of cyber-espionage where attackers thrive off of access, stealth, and persistence to manipulate low-level software embedded in the hardware to gain control over the system. Once hackers gain control, they sit and wait for the most opportune moment to create the most destruction possible.
Specifically, hackers wait until they have the opportunity to infiltrate every facet of the system, without detection, in order to access as much valuable data as possible. Once they are in, they make it extremely difficult for the security team to track them, let alone remove them altogether.
The shift from physical to remote access hacking
Attackers have and always will go for the low-hanging fruit, the easiest point of access, whether it be on a weapons system, laptop, or automobile. In the past, they have primarily targeted the software running at the application layer such as email, web browsers, and development tools. One layer deeper, attacks take place on the operating systems, such as Windows, Linux, macOS, and iOS. Hackers are well aware that operating systems are often vulnerable to bugs, which makes infiltrating these systems even easier.
Developers have gotten more security savvy in the last five to 10 years and as a result, so have their cybersecurity tools. As additional layers of protection have been added to the operating system, these once-considered “easy” attacks are now more difficult for cybercriminals. Once one method becomes harder, attackers then look for otherー easier ー ways to disrupt operations.
They bypass software and target hardware through the supply chain, insider threats, system updates, firmware updates and hardware errors. For example, Spectre and Meltdown are a trio of flaws that arose from features that are part of nearly every modern computer CPU and some CPUs as far back as 20 years. The consequences are very real.
Hackers can get access to memory, including passwords, encryption keys, or other sensitive information, by leveraging hardware design flaws to leak data between applications. Even mechanisms that are designed to prevent these vulnerabilities, such as allowing firmware updates for the CPU, can be used as “back doors” that allow attacks against hardware. Organizations need to take proactive measures, like adopting a zero trust framework, to reduce the risk of a successful attack.
The strategy behind a zero trust cybersecurity approach is to trust no one and verify everybody.
Hardware has always been inherently trusted, meaning that the hardware design doesn’t always include security features itself, but instead relies on higher level software to provide protections. Unfortunately, if an organization falls victim to a hardware attack, there isn’t much that can be done. Hardware hacks are often very difficult to detect as the payloads often sit quietly and wait for the best opportunity to activate the attack. Organizations often don’t know they have been hit until the hacker pivots from hardware to the OS and Application software and the damage is already done.
A zero trust strategy gives organizations the ability to take action against this risk.
Hardware hacks: Plan A, when there isn’t a Plan B
Because hardware hacks are so difficult to detect and mitigate it is important for organizations to do everything possible to thwart them.
The first priority is ensuring hardware verification is a top priority. Because hackers are able to mimic an admin once they have access, having a zero trust framework in place is a necessity. A zero trust approach leverages hardware root-of-trust solutions that enforce advanced security technologies in commercial systems in a way that prevents them from being disabled or bypassed, even by insiders or attackers that have administrator privilege on the system.
Software updates are an important part of a strong security posture, and this goes for hardware/firmware updates as well. Critical security patches should be applied as soon as possible to address evolving threats. Even in this process, back doors are created for firmware to act which increases the attack surface. Every update should be verified as authentic from a trusted provider, preferably by some cryptographic methods like signed packages. Organizations must also have a secondary process to independently verify the updates before they’re applied.
No area of the security perimeter goes unnoticed by hackers, so organizations must ensure all equipment is protected. This means verifying that peripheral and support hardware – not just the obvious major targets – are protected from these attacks as well. Hackers get more sophisticated by the day.
The best crisis plan is one you never have to use, but it is critical that every organization has one in place. This is especially true with hardware hacking when a reactive approach is not an option. Knowing this will be our reality, we need plans, processes and tools in place to detect, protect and mitigate attacks.