Abstract
In 2016, reports of ransomware, Internet of Things (IoT) attacks and increased
cyberespionage have dominated headlines. Yet many vulnerabilities are present in an
area not frequently addressed within the infrastructure of almost all organizations:
firmware. In addition, as IoT devices proliferate, firmware, operating system and app
functionality become wholly entwined; the differentiation starts to blur.
This study attempts to identify how many firmware attacks are occurring and what is
being done to reduce enterprise risk from attacks targeting firmware. The results
reveal many interesting findings that indicate positives and negatives for cyber
security professionals. The survey, which used multiple-choice and Likert scale
formats, was organized in five major sections:
Demographics
Impact
Conclusions
Table of Contents
List of Figures
Firmware Background
03
04
05
Industry Representation
04
Figure 2
Geographic Representation
04
Figure 3
Prominent Frameworks
05
Figure 4
06
Figure 5
07
Figure 6
07
Figure 7
08
Figure 8
09
Figure 9
09
Figure 10
10
05
Conclusion
08
Acknowledgments
12
Figure 1
Firmware Background
Firmware. It is not often talked about. In fact, some might
say it is forgotten, overlooked, an afterthought. However,
that hard-coded software that is frequently stored in
ROM, flash, etc., is an extremely critical, vulnerable and
increasingly attractive entry point for hackers. Firmware
compromise can come from a bad actor introducing corrupt
firmware, or an original equipment manufacturer (OEM)
identifying vulnerabilities in previously trusted firmware. OEM
examples are not limited to small vendors or those new to
the market. Fortinet realized a large vulnerability this year
when a Secure Shell (SSH) back door was identified that
allowed users to log in with administrative privileges to
vulnerable devices.1 The vulnerability was a result of a design
feature, unlike Juniper, which discovered unauthorized
code in the ScreenOS that runs on many of their firewalls.
The code allowed for unauthorized administrative access
and also for decryption of virtual private network (VPN)
connections that could allow a bad actor to listen passively
to traffic that was thought to be encrypted.2
While firmware is not one of the most commonly reported
attack vectors, recent incidents such as those at Fortinet and
Juniper, as well as those of the Equation Groups attack on
drives and attacks such as Flame, which received extensive
media attention, have brought firmware into light as a
vulnerability, resulting in discussion focused on components
of platforms such as basic input-output system (BIOS) and
secure boot.
1 Gross, Garrett; Juniper ScreenOS Backdoor Eavesdropping, AlienVault, 11 January 2016, https://www.alienvault.com/blogs/security-essentials/juniper-screenos-backdooreavesdropping
2 Scholl, Derrick; Important Announcement about ScreenOS, Juniper, 17 December 2015, https://forums.juniper.net/t5/Security-Incident-Response/ImportantAnnouncement-about-ScreenOS/ba-p/285554
Description of the
Survey Population
The populations invited to respond to the survey were
selected ISACA certification holders and members. Due to
the nature of the survey, the targeted population consisted
of individuals who have cyber security job responsibilities.
More than 750 individuals participated, of which 436
indicated that their primary job function is cyber security
or information security. The data represented in this report
reflect the information provided by those 436 individuals.
A typical respondent can be described as follows:
ISACA member: 81 percent
A holder of the Certified Information Security Manager
(CISM) (60 percent) and/or a Certified Information Systems
Security Professional (CISSP) (40 percent) credential
Geographically diverse: Have operations in North America
(49 percent), Europe (54 percent), Asia (38 percent)
Business sectors/industries: 22 percent in financial services,
26 percent in technology services/consulting
78 percent are in cyber security/information security
management while 21 percent are cyber security/information
security practitioners.
61 percent are employed in an enterprise with at least
1,500 employees.
While the norms of the sample population are interesting to
consider, it is important to note some of the characteristics of
respondents that are not in the majority. Among those
surveyed, respondents are employed in more than 20
industries (see figure 1) and have business operations in at
least four other major global regions (Latin America, Middle
East, Africa and Oceania) in addition to the majority areas
(see figure 2).
FIGURE
Industry Representation
WHICH OF THE FOLLOWING BEST DESCRIBES
YOUR BUSINESS INDUSTRY?
Retail/Wholesale/
Distribution
Utilities
Technology Services/
Consulting
Transportation
Education/
Student
Insurance
Other
Manufacturing/
Engineering
Health Care/
Medical
Financial/
Banking
Telecommunications/
Communications
Government/
Military-National/State/Local
FIGURE
Geographic Representation
PLEASE INDICATE THE REGIONS IN WHICH YOUR
COMPANY CURRENTLY OPERATES.
49
38%
Asia
North America
33%
18%
25%
Oceania
Middle
East
Latin
America
54%
Europe
24%
Africa
Frameworks and
Standards
FIGURE
ISO/IEC 27001
COBIT 5
PCI DSS 3.0
NIST SP 800-53 Rev 4
HIPAA
NIST CSF
Security
Management
and Controls
Prominent Frameworks
PCI
Other
CIS Controls for Effective Cyber Defense Version 6.0
Unknown
HITRUST CSF
Australian Top 35
FFIEC Assessment Tool
FFIEC Examiners Handbook
NSA Top 10
UK ICO Protecting Data
UK Cyber Essentials
NERC CIP
GCHQ 10 Steps
FedRAMP
0%
20%
40%
60%
80%
FIGURE
WHICH OF THE FOLLOWING CHOICES BEST DESCRIBE FEEDBACK YOUR COMPANY HAS RECEIVED VIA COMPLIANCE AUDITS
RELATED TO FIRMWARE INTEGRITY MONITORING, VALIDATION AND/OR FIRMWARE FLAW REMEDIATION?
100%
Fully Compliant,
No Deficiencies Exist
80%
Partially Compliant,
Minor Deficiencies
Exist
60%
Noncompliant, Material
Deficiencies Exist
40%
No Feedback Received
Regarding Firmware
Controls
20%
Unknown
0%
High Priority:
Security Is a Key
or Driving Criteria
Moderate Priority:
Security Is Considered
Among Other Key or
Driving Factors
Low Priority:
Security Is Considered
but Is Not a Key Factor
Not A Priority:
Security Is Not a
Consideration
Unknown
FIGURE
FIGURE
Effective
Substandard
Unknown
Total
Fully
Compliant, No
Deficiencies Exist
63%
29%
6%
2%
11%
Partially
Compliant, Minor
Deficiencies Exist
9%
78%
10%
3%
29%
Noncompliant,
Material
Deficiencies Exist
0%
42%
58%
0%
8%
No Feedback
Received
Regarding
Firmware Controls
6%
56%
35%
3%
36%
Unknown
6%
62%
10%
22%
16%
Total
Respondents
55
256
97
25
433
Fully
Implemented
Partially
Implemented
Planning to
Implement Within
the Next 12
Months
Planning to
Implement Within
the Next 24
Months
Not Planning to
Implement
Unknown
Total
Fully Compliant,
No Deficiencies Exist
57%
31%
6%
2%
0%
4%
11%
Partially Compliant,
Minor Deficiencies Exist
15%
67%
6%
6%
3%
3%
29%
Noncompliant, Material
Deficiencies Exist
0%
30%
18%
24%
27%
0%
8%
No Feedback Received
Regarding Firmware Controls
4%
22%
10%
17%
34%
13%
36%
Unknown
4%
16%
4%
4%
7%
63%
16%
Total Respondents
56
155
35
46
72
69
433
FIGURE
60%
Fully Prepared
50%
Mostly Prepared
40%
Partially Prepared
30
20
10
Unprepared
Unknown
0%
Fully Compliant,
No Deficiencies
Exist
Partially
Compliant, Minor
Deficiencies Exist
Noncompliant,
Material
Deficiencies Exist
No Feedback
Received Regarding
Firmware Controls
Unknown
Conclusion
The vulnerabilities associated with firmware are understood
by the security professionals represented in the survey.
Roughly half the respondents are at least partially using TPM,
and 69 percent report that security is at least a moderate
priority in the enterprises overall approach to hardware life
cycle management.
The study revealed that the relationship between audit and
the enterprise regarding firmware management is key. The
organizations that received valuable feedback during regular
compliance audits for firmware fared better than those that
did not in regards to preparedness for an attack at this layer,
implementation of controls for firmware, and overall patch
management processes. Organizations should work to build
8
FIGURE
100%
Unknown
80%
No Known
Occurrences
60%
Single Occurrence,
Immaterial Impact
40%
Single Occurrence,
Material Impact
20%
Multiple Occurrences,
Immaterial Impact
Multiple Occurrences,
Material Impact
High Priority:
Security Is a Key
or Driving Criteria
FIGURE
Moderate Priority:
Security Is Considered
Among Other Key or
Driving Factors
Low Priority:
Security Is
Considered but Is
Not a Key Factor
Not A Priority:
Security Is Not a
Consideration
Unknown
Multiple
Occurrences,
Immaterial Impact
Single
Occurrence,
Material Impact
Single
Occurrence,
Immaterial Impact
No Known
Occurrences
Unknown
Total
6%
17%
10%
16%
40%
11%
51%
Servers and/or
Server-based Platforms
5%
19%
9%
14%
45%
8%
64%
5%
18%
9%
12%
46%
9%
63%
5%
19%
9%
15%
44%
10%
50%
7%
34%
12%
17%
17%
12%
10%
2%
5%
9%
2%
73%
9%
21%
Unknown
5%
7%
5%
4%
33%
45%
13%
Total Respondents
19
60
33
43
218
56
429
10
FIGURE
Mostly Prepared
Partially Prepared
Unprepared
Unknown
Total
32%
36%
24%
5%
4%
24%
8%
26%
42%
12%
11%
45%
1%
6%
42%
49%
3%
24%
0%
6%
18%
71%
6%
4%
Unknown
6%
12%
6%
0%
76%
4%
Total Respondents
50
96
151
90
42
429
10
ISACA
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus
(CSX), a holistic cybersecurity resource,
and COBIT, a business framework to
govern enterprise technology.
Disclaimer
This is an educational resource and is
not inclusive of all information that may
be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.
Reservation of Rights
2016 ISACA. All rights reserved.
Provide feedback:
cybersecurity.isaca.org/firmware
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
11
ACKNOWLEDGMENTS
ISACA wishes to recognize:
Lead Developer
Justine Bone
MedSec, USA
Theresa Grafenstine
Robert Clyde
Leonard Ong
Andre Pitkowski
Eddie Schwartz
Jo Stewart-Rattray
Jeff Spivey
Robert E Stroud
Tony Hayes
Greg Grocholski
Matt Loeb
Niall Casey
Stacey Halota
Tammy Moskites
Tichaona Zororo
Lisa OConnor
Zubin Chagpar
Ron Ritchey
Marcus Sachs
Greg Witte
Rogerio Winter
12