Microsoft says businesses aren't doing enough to fight firmware attacks

News
By
published

Firmware attacks are common among enterprises, but security teams aren't doing enough to prevent them.

Surface Pro X Sq2 Hero
Surface Pro X Sq2 Hero (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • A new study states that businesses aren't doing enough to protect against firmware attacks.
  • Microsoft commissioned the study, which involved interviews with 1,000 enterprise security decision makers.
  • The study states that many security teams use an outdated "protect and detect" model.

Microsoft says that businesses aren't paying enough attention to securing systems against firmware attacks. The company shared the results of a commissioned study that shows that "attacks against firmware are outpacing investments targeted at stopping them."

The March 2021 Security Signals report states that while 80% of enterprises have experienced at least one firmware attack in the past two years, only 29% of security budgets are allocated to protect firmware.

Security Signals is a report based on interviews with 1,000 enterprise security decision makers (SDMs) from several industries in the U.S., UK, Germany, China, and Japan.

According to the study, organizations invest in security updates, vulnerability scanning, and advanced threat protection. Protecting against firmware attacks is complicated. Firmware sits below a PC's operating system and isn't scannable by antivirus software on many devices. Microsoft discusses this in its blog post:

Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don't offer visibility into that layer to ensure that attackers haven't compromised a device prior to the boot process or at runtime [below] the kernel. And attackers have noticed.

Part of the problem, according to the study, is that security teams use an outdated reactive model to threats:

Security Signals also found that security teams are too focused on outdated "protect and detect" models of security and are not spending enough time on strategic work — only 39% of security teams' time is spent on prevention and they don't see that changing in the next two years. The lack of proactive defense investment in kernel attack vectors is an example of this outdated model.

Microsoft created a new class of devices called Secured-core PCs, including Microsoft's own Surface Pro X. These devices have multiple levels of protection at a hardware, firmware, and software level. Quite a few PC manufacturers make Secured-core PCs, including Acer, ASUS, Dell, Dynabook, HP, Lenovo, and Microsoft.

CATEGORIES
Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.