Microsoft says that businesses aren’t paying enough attention to securing systems against firmware attacks. The company shared the results of a commissioned study that shows that “attacks against firmware are outpacing investments targeted at stopping them.”
The March 2021 Security Signals report states that while 80% of enterprises have experienced at least one firmware attack in the past two years, only 29% of security budgets are allocated to protect firmware.
Security Signals is a report based on interviews with 1,000 enterprise security decision makers (SDMs) from several industries in the U.S., UK, Germany, China, and Japan.
According to the study, organizations invest in security updates, vulnerability scanning, and advanced threat protection. Protecting against firmware attacks is complicated. Firmware sits below a PC’s operating system and isn’t scannable by antivirus software on many devices. Microsoft discusses this in its blog post:
Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime [below] the kernel. And attackers have noticed.
Part of the problem, according to the study, is that security teams use an outdated reactive model to threats:
Security Signals also found that security teams are too focused on outdated “protect and detect” models of security and are not spending enough time on strategic work — only 39% of security teams’ time is spent on prevention and they don’t see that changing in the next two years. The lack of proactive defense investment in kernel attack vectors is an example of this outdated model.
Microsoft created a new class of devices called Secured-core PCs, including Microsoft’s own Surface Pro X. These devices have multiple levels of protection at a hardware, firmware, and software level. Quite a few PC manufacturers make Secured-core PCs, including Acer, ASUS, Dell, Dynabook, HP, Lenovo, and Microsoft.