Hardware Security is Starving, and Bad Actors are Hungry
Author: Sepio Systems
Hardware Security is Starving – All organizations have (or at least should have) a cybersecurity department that is responsible for securing the entire enterprise from any and all cyber-related threats.
This can be an overwhelming duty and a limited budget only amplifies the challenge as the department will have to decide where to allocate the funds.
The main sectors can be divided into three subsections; Application Security, Network Security and Hardware Security.
Naturally, the budget will be divided according to areas of importance; but do organizations have their priorities in check?
The Three Domains
1 – Application Security
The cybersecurity team will enforce measures to improve the security of an application. As such, this entails patching any vulnerabilities to protect the organization from various threats including unauthorized access, APTs and malware injection. To secure an application, the cybersecurity department has a range of techniques at their disposal which can be used at different stages of the application’s lifecycle.
2 – Network Security
To protect the usability and integrity of an organization’s network and data, the cybersecurity department will apply a number of policies and practices. An organization’s network and data are prime targets for bad actors and an attack on the network can spread throughout the organization, causing severe damage. Hence, securing the network will protect the enterprise from a range of different cyberattacks that can have extreme consequences. Moreover, network security ensures that both public and private networks are covered. With network security measures in place – such as NAC solutions – only compliant, authenticated and trusted endpoint devices and nodes will be able to access network resources and infrastructure. Furthermore, the activity of these devices and nodes will be monitored to provide an additional layer of protection. A comprehensive network security solution will be applicable to all endpoints, including computers, servers, firewalls and routers.
3 – Hardware Security
In this third domain, physical systems and devices are the subject of protection. Malicious actors are increasingly turning to hardware attacks to gain unauthorized access to confidential data, steal trade secrets, conduct espionage and more. By compromising hardware, these “Rogue Devices” – which are malicious by nature – can provide perpetrators with the means to take advantage of the poorly regulated hardware production cycle.
Hardware attacks can come in the form of Spoofed Peripherals or Network Implants, of which there is no protection for either – the former, once plugged into the endpoint, will be recognized as a genuine HID and will therefore raise no alarms; and the latter sits on the Physical Layer which is not covered by any existing security software solutions.
As such, it is extremely challenging to detect hardware attacks and even more problematic to detect the location of the device and its origin. Furthermore, protecting hardware is an extremely arduous task and requires manual labor for each device. With organizations not regarding hardware security as a top priority, and therefore not applying sufficient hardware enforcement capabilities, bad actors are increasingly carrying out hardware-based attacks with success, and security in this domain is now crucial.
Hardware Security needs to be fed
The frequent disregard by organizations of the importance of hardware security means that this domain is starved of receiving sufficient funds to provide the necessary protection and full visibility to the enterprise. Therefore, hardware attacks are occurring more regularly, and all enterprises are at risk of being victim to one. No matter the industry, all organizations are viewed as targets to bad actors, especially those motivated by financial gains.
Nonetheless, there are many motivations behind hardware attacks, and, because of this, government agencies and critical infrastructure are finding themselves subject to these types of attacks. In 2019, it was announced that a US Federal Agency facility had been hacked and 500 megabytes of data from 23 different files from one of its major assets were stolen. Furthermore, the discovery of the major security breach caused several external entities to disconnect from the agency’s network.
When targeting a government entity or critical infrastructure, the perpetrators are often state-sponsored actors. With government assistance, organized crime groups have advanced capabilities which allow them to infiltrate deep into the target’s network and cause substantial damage. Notably, the 2013 leak of the NSA’s “toolbox” demonstrates the plethora of hardware devices that the US government possesses to perform covert hardware attacks and raises questions as to which tools other governments have at their disposal. Moreover, since the leak, these attack tools have become more easily accessible, thereby increasing the number of actors utilizing them.
Hardware Access Control
Sepio Systems, the leader in Rogue Device Mitigation (RDM), has developed the concept of Hardware Access Control (HAC) which can be split into three pillars:
Visibility – organizations will receive full visibility of all of their IT assets; no devices going unnoticed and all anomalies being detected provides an enterprise with a greater cybersecurity posture. The organization can be confident that all devices are accounted for.
Policy Enforcement – predefined policies are enforced, being set in coordination with the security goals of the organization. Following the implementation of a policy and baseline, ARM mode is activated, and ultimate USB protection is enforced. Any peripherals – as a whole, or only functional parts – will be blocked immediately if they breach the predefined policy.
Rogue Device Mitigation – with all devices being covered, any which act suspiciously will be detected, alerted and blocked. By covering both the network and USB interface, the organization receives comprehensive protection over Network Implants and Spoofed Peripherals. Rogue Devices are identified through hardware fingerprinting and behavior analytics and the solution provides alerts for security threats, enforces policies and delivers risk insights and best practices recommendations.
Cybersecurity teams are provided with a limited budget and it is at their discretion how this budget is allocated to the three main domains of cybersecurity: Application, Network and Hardware Security. Understandably, the largest funding will be put towards the domain which is viewed as top priority. However, the problem is determining which sector is the most important. Typically, hardware security is given the least attention and, today, this can no longer be the case since hardware-based attacks are becoming more frequent and the damage is perilous.
Awareness of the risks regarding hardware attacks is crucial in order for an organization’s cybersecurity department to make informed decisions about how it will divide its budget. Disregarding Hardware Security will only increase its importance as attackers begin exploiting this major vulnerability. A major problem is that securing hardware assets has, until now, been a laborious, daunting process. Sepio Systems’ HAC solution alleviates this challenge and finally gives Hardware Security the meal it’s been craving.
Hardware Security is Starving, and Bad Actors are Hungry