The importance of hardening firmware security

It’s no secret that attackers traditionally go after low-hanging fruit when hacking a system. Historically, this has meant targeting user applications, and, for deeper persistence, the operating system (OS) kernel to gain control. But, as OS security has advanced, it’s become more difficult to compromise an OS with any kind of persistent kernel rootkit.

As a result, hackers (and researchers) have moved below the OS level and are now targeting firmware – most notably the Unified Extensible Firmware Interface or UEFI (often still referred to as the Basic Input Output System or “BIOS”).

You may recall the days when BIOS flashed across a laptop or desktop startup screen. Legacy BIOS was (and in some rare cases still is) one of the first firmware codes to run on a platform, enumerating all of the device’s available components, memory, etc., before passing control to the OS. Today, most standard platforms use UEFI, which was designed to overcome many of the performance shortcomings of BIOS. It was developed by Intel, AMD, Microsoft and a variety of other PC manufacturers, and is maintained today by the Unified Extended Firmware Interface Forum.

To date, firmware attacks have been few and far between. The first known BIOS attack, called the Chernobyl Virus, happened in 1998 and was used to erase flash ROM BIOS contents on chipsets. It wasn’t until Black Hat in 2006 that another BIOS vulnerability was demonstrated by researcher John Heasman (elevating privileges and reading physical memory), and then again in 2009 when Alfredo Ortega demonstrated a persistent BIOS infection (inserting malicious code into the decompression routines).

Despite this initial leisurely pace, over the last decade the number of firmware vulnerabilities has increased significantly. While still mostly academic in nature, these threats won’t stay that way forever.

Case in point, LoJax was the first in-the-wild UEFI rootkit identified in 2018 in a campaign from Russian cyber espionage group Fancy Bear. This rootkit allowed the attacker to write a malicious UEFI module into a system’s SPI flash memory that dropped and executed malware on-disk during the boot process. And, let’s not forget the leak of the NSA’s Equation Group APT by the Shadow Brokers, which showed a catalog of attack tools including a BIOS module. The race to identify new vulnerabilities, before criminals do, is vital to protecting businesses and consumers. Once security researchers begin unearthing new threat mediums, hackers quickly follow.

But where are we today when it comes to UEFI/BIOS vulnerabilities?

Over the last several years, System Management Mode (SMM) attacks have been the most common UEFI vulnerability, mainly because SMM interfaces directly with the OS. For example, a common exploit involves installing a kernel-level rootkit in SMM that can reach into the OS. Since SMM operates in a compartmentalized execution mode, the OS is not able to “see” it. This is appealing for attackers because if the OS can’t see inside SMM, then neither can functions like antivirus (AV). If an attacker has an offensive capability that keeps getting flagged by AV, moving it into the firmware’s SMM can cover their tracks. This is a core reason SMM is attractive for attacks.

Furthermore, SMM is also one of the protections used to prohibit users from rewriting some of the UEFI firmware itself. That means if an attacker wanted to write and install a persistent rootkit into the firmware that could survive OS reinstalls and configuration – or the removal and replacement of a hard drive from a computer – a SMM attack could be the first step in accomplishing that task.

Misconfigurations are another big area of concern when it comes to UEFI vulnerabilities. Traditionally, reference code is passed from a chip manufacturer to other vendors and OEMs, but it’s not intended to be final production code. OEMs then layer on additional coding. During that process it’s possible to create vulnerabilities by not following UEFI security guidelines, creating poor add-on code, or just by accidentally misconfiguring bits. In general, it’s pretty simple for a hacker to scan through system registers and find what’s been misconfigured.

There are hundreds of different bits that need to be properly configured before a system is ready for release. One example of a common misconfiguration vulnerability involves the flash protection bits, which prevent unauthorized modification of firmware. Here’s how it works.

To protect itself from malicious changes, firmware must clear the “BIOS Write Enable” bit to disable firmware modifications. Unfortunately, an attacker could simply set that bit themselves. So to protect it, firmware must set the “BIOS Lock Enable” bit. However, attackers have found ways to circumvent this bit by disabling internal processor events. To secure the system further, firmware must ensure that the necessary events are enabled by setting the “Global SMI Enable” bit, and that an attacker can’t modify this bit by setting the “SMI Lock” bit. It’s easy to see why security misconfiguration vulnerabilities are some of the most common problems encountered.

While SMM and misconfigurations are the two most common UEFI vulnerabilities, there are others including those that require exact configurations for sleep mode and secure boot.

What’s being done to harden the firmware layer?

Now more than ever, the industry is investing in offensive security research and development. By finding problems before hackers do, vendors can work to mitigate these threats before they impact businesses and users. In fact, advancements have already been made to substantially reduce some of the most common firmware attacks. For example, Intel’s Excite project combines symbolic execution, fuzzing, and concrete testing in a single tool that helps automate the excavation of UEFI security vulnerabilities in SMM. System Management Interrupt call-out vulnerabilities, which trick trusted SMM code into executing code from an attacker, were once one of the most common firmware vulnerabilities. Now they are virtually non-existent.

Intel researchers are also working in the area of firmware taint analysis, using automated tools to identify where attackers might provide malicious firmware input, and then tracing the data flow forward, to identify code that could be “tainted” by an attacker. And then there’s Host-Based Firmware Analyzer (HBFA), an open source, automated tool designed to enable developers to conduct advanced testing on UEFI drivers and UEFI Platform Initialization (PI) drivers in an OS environment.

Despite these efforts, there will always be firmware bugs. Recognizing this, researchers are developing firmware hardening technologies for UEFI that will severely restrict what an attacker can do, even if they get code execution inside firmware. For example, new technologies are mitigating the impacts of SMM attacks by preventing arbitrary code execution inside of SMM and allowing the operating system to verify the state of SMM through secure attestation techniques.

When it comes to tackling misconfigurations there are several tools, like the Intel-led open-source Chipsec project, that scan systems for misconfiguration. Chipsec allows OEMs to validate that all system bits within the firmware are configured correctly. Prior to Chipsec, Intel offered a BIOS Writers Guide (and still offers UEFI Writers Guides), that helped vendors and developers properly write, add or configure BIOS/UEFI code. Using sophisticated automated analysis tools has been a huge leap forward for firmware security.

UEFI plays a vital role in booting systems securely, but it also offers an enticing attack surface for hackers. Once believed only to be exploitable by nation states, we’ve seen new research and attacks shift perceptions around processor firmware vulnerabilities. The ultimate goal with UEFI security is to eliminate the “whack-a-mole” approach and get in front of these threats. Only by continuing to invest in offensive security practices and research, developing new automated technologies, and better communicating with partner ecosystems, will the industry ensure those barriers of entry for hackers remain strong.

Contributing author: Burzin Daruwala, Security Research Manager, Intel.

from Help Net Security – News

Enterprises catching up with the explosion of cloud use and shadow IT in the workplace

Businesses worldwide are gaining control of previously unmonitored and unsupported cloud applications and devices, known as shadow IT, that lurk in their IT environments, according to the 2019 Duo Trusted Access Report.

shadow IT control

The average number of organizations protecting cloud apps with Duo surged 189 percent year-over-year, indicating that enterprises are catching up with the explosion of cloud use and shadow IT in the workplace. In addition, the frequency of out-of-date devices has dropped precipitously, hardening organizations against malware as a result.

Published by Cisco’s Duo Security, the fourth annual Duo Trusted Access Report analyzes the security state of thousands of the world’s largest and fastest-growing organizations.

The report examines 24 million devices used for work and half-a-billion user access requests per month to more than 1 million corporate applications and resources that Duo protects, based on de-identified and aggregated data from Duo’s 15,000 customers.

Soaring cloud and mobile use has resulted in 45 percent of requests to access protected apps coming from outside business walls, according to Duo data.

To reduce the risk of breach amid this shift, organizations of all sizes are enforcing security controls that establish user and device trust before granting access to applications, known as zero-trust security for the workforce.

These include strengthening user authentication, requiring screenlocks and disc encryption, disallowing devices with out-of-date browsers and operating systems, or blocking anonymous IP addresses, among other steps. Organizations are even using zero trust tactics to quickly mitigate threats posed by zero-day vulnerabilities.

“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, Head of Advisory CISOs at Duo.

“The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”

Report highlights

Your workforce is now mobile – A third of all work is now done on a mobile device, a 10 percent increase year-over-year. Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities.

Passwords… the end is nigh! – Organizations are increasingly adopting the use of biometric sensors to verify user identity, paving the way for a passwordless future. 77 percent of mobile devices used in business have biometrics configured, a 10 percent increase over the past four years.

Not today, zero-day – In March 2019, Google discovered a zero-day vulnerability in its Chrome web browser that could allow an attacker to compromise major operating systems. Google quickly released a patch, which required users to update Chrome to the latest version.

Subsequently, Duo saw a 79 percent increase in the number of customers who blocked access to data and applications from out-of-date browsers, thereby protecting themselves from the vulnerability until users updated Chrome.

Apple eats away at Windows; Chrome reigns – Together, macOS and iOS now comprise 40 percent of the devices used for work, while Windows’ share of devices dropped 8 percent from the year prior. On the browser side, Chrome makes up 48 percent of business browser share, an 8 percent increase year-over-year, resulting in stronger security hygiene overall for organizations.

An update a day keeps the hacker at bay – While Android devices continue to be the most frequently out-of-date, overall, out-of-date devices across all operating systems have dropped precipitously in the past year, making them less susceptible to malware and improving organizational security health.

Healthcare slow to adopt Windows 10 – The Windows-dominated sector has 56 percent of Windows devices still running an outdated operating system. Healthcare organizations use internet-connected devices and software that aren’t always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry.

SMS authentication extinct? – Enterprises are well-aware of the security risks posed by SMS-based MFA. SMS passcode comprises only 2.8 percent of total Duo user authentications, compared to 68 percent for Duo Push. Heavily regulated industries, such as Federal Government, overwhelmingly prefer traditional hardware tokens because of regulatory requirements.

from Help Net Security – News

Companies still don’t understand the importance of DMARC adoption

By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. Still, 79.7% of all domains analyzed have no DMARC policy in place, according to 250ok.

companies DMARC adoption

The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91% of all cyber attacks begin with a phishing email.

Phishing and spoofing attacks against consumers are likely to occur when companies do not have published Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) policies in place.

DMARC is considered the industry standard for email authentication to prevent attacks in which malicious third parties send harmful email using a counterfeit address.

“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok.

“Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”

250ok’s Global DMARC Adoption 2019 report analyzed domains across multiple sectors including education, e-commerce, Fortune 500, US government (Executive, Legislative and Judicial), the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, financial services, and travel.

The report looks into whether the organization or parent domain, excluding any subdomains, implement any level of DMARC policy from none (good), quarantine (better), reject (best) or if they had no policies whatsoever.

Key takeaways from select sectors include:

  • For the second year in a row, Chinese companies are the least likely to adopt any DMARC policy, with 93.5% of domains having no policy in place.
  • Non-profit organizations are largely failing to adopt DMARC (91.4% have no policy in place) while they continue to hold a significant amount of personal data about their donors and volunteers.
  • Only 23% of companies in the Fortune 500 have some form of DMARC policy despite being the largest US companies by revenue.
  • The SaaS 1000 is the best non-public vertical surveyed. Out of 1,000 domains reviewed, only 54% do not have a policy in place.
  • The travel industry is well behind overall averages with 86% of all domains having no policy in place and only 1% having a reject policy.
  • The Executive branch of the government leads all verticals with 81.5% of all their domains enacting a reject policy.
  • Law firms saw the greatest increase in overall adoption from 2018 to 2019 with a 19% increase. European and U.S. retailers had the second and third greatest increases with 14.8% and 12.5% overall adoption respectively.
  • The sectors who saw the smallest increase of overall DMARC adoption from 2018 to 2019 include the China Hot 100 with only a 1.9% increase, and U.S. nonprofits with a 2.8% increase.

companies DMARC adoption

A 2018 study from the Anti-Phishing Working Group reported a decline in reported phishing attacks during Q4 2018. However, this is not due to fewer attacks, but instead the growing complexity of phishing attacks.

Thanks to new tactics like multiple redirects and valid security certificates, phishing is harder to detect than ever before. In fact, there was a 29.8% increase in phishing scams targeting SaaS companies in an attempt to get data and credentials.

from Help Net Security – News

As cyber attacks increase, the cloud-based database security market grows

The cloud-based database security market is expected to register a CAGR of 19.5% over the forecast period 2019-2024, according to ResearchAndMarkets.

cloud-based database security market

With the increasing adoption of Big Data platforms and relational databases becoming the prime target for data thieves, the demand for cloud-based database security is expected to gain traction.

Key highlights

  • There has been increasing volumes of data being generated from information-escalated applications like storage and mining of huge or commercial data. These applications are flexible and multipurpose in nature. For maintaining the authenticity and integrity of the data and for prevention of cloud-related cyber-attacks, cloud database security is essential.
  • The location of the data stored in cloud is not known to organizations which significantly minimizes their control over their data. Consumers do not know the details pertaining to where actual physical machines, networking and storage devices are residing. In case of security breaches, it becomes difficult for them to identify the resource which has been compromised.

Major market trends

Healthcare industry to dominate the market:

  • With increasing patient records and multi-cloud, there is a need for greater attention to security, compliance, and privacy.
  • In 2018, the healthcare industry continued to be plagued by data breaches involving sensitive patient information, according to 2019 Breach Barometer Annual Report by Protenus.
  • As per HIPAA’s Data Breach Report, healthcare data breaches continued to be reported at a rate of one a day in March 2019.
  • Google has a strong history in big data, analytics, and machine learning, culminating in the launch of their Google Health API.
  • As multi-cloud access increases, we can expect healthcare organisations to use Google Cloud’s expertise while also consuming services such as Amazon Simple Storage Service and Amazon Elastic Compute Cloud for computing and data storage to meet the unique needs of their business.

Asia-Pacific to witness the highest growth:

  • In Asia-pacific, great strides are being made in digital economy. But it is also causing more threat-related opportunities. According to Cisco, companies receive 6 threats every minute in APAC and 51% of all cyber attacks resulted in a loss of more than USD$1 million.
  • The growing penetration of the internet and shift toward digitization of the internal processes have been instrumental in driving the adoption of cloud-based services. Alongside the digital transformation in the region, owing to ineffective cyber laws and lack of cybersecurity awareness, companies in Asia-Pacific have been found to be 80% more likely to be targeted by hackers as compared to other regions.
  • In addition to financial losses, cybersecurity incidents are also undermining Asia Pacific organizations’ ability to gain confidence with their consumers and other stakeholders.
    Major companies are setting their footprint in APAC, for instance, Google expanded the number of Google Cloud Platform regions in APAC from three to six in 2018.

Competitive landscape

The market for cloud-based database security is fragmented due to the rise in cyber attacks over the years. Enterprises are more aware and careful regarding their data stored in cloud and thus are availing offerings from companies like IBM, McAfee and Intel Security for cloud protection.

Recent developments:

  • May 2019 – In a move expected to augment its cloud-based architecture and people-centric security platform, Proofpoint announced that it has entered into an agreement to acquire zero trust network access innovator Meta Networks.
  • January 2018 – Amazon’s cloud business acquired Sqrrl, a security start-up with NSA roots. The founders of Sqrrl had previously worked for the US National Security Agency. This acquisition by the company is aimed at attaining business from US intelligence agencies.
  • January 2018 – IBM and Salesforce expanded their partnership, by bringing together artificial intelligence and cloud computing platforms. This partnership is expected to expand IBM’s customer base in the cloud solutions segment.

from Help Net Security – News

New satellite constellations aim to improve IoT connectivity options

By 2024, there will be 24 million IoT connections made via satellite, ABI Research reveals.

satellite IoT connections

A new report unveils the long-term opportunity within the satellite space for the growth of IoT deployments, particularly in application verticals, such as agriculture and asset tracking, that are dealing with the unreliability of terrestrial infrastructures.

“Terrestrial cellular networks only cover 20% of the Earth’s surface, while satellite networks can cover the entire surface of the globe, from pole to pole,” says Harriet Sumnall, Research Analyst at ABI Research..

“The expansion of the satellite constellations that are currently in orbit, and those due to take place will allow for connectivity to be more global. While the market using satellite connection is still immature, it shows great opportunities for growth.”

The application segments that are expected to see significant growth include agriculture, asset tracking, maritime tracking, and aviation tracking. Maritime and aviation tracking are two important markets for the satellite space due to the lack of terrestrial infrastructures available within their location.

Vendors such as Aerial & Maritime (A&M) provide cost-effective aircraft ADS-B surveillance and ship AIS tracking from constellations of nano-satellites. This technology is a game-changer in this industry space, and recent initiatives demonstrate the high-end tracking capabilities from large satellites in multi-constellations.

Though this is yet to be considered a cost-efficient process, it is expected to become more so with upcoming Software Defined Radio technology, as it is possible to use nano-satellites for these actions.

The larger and more traditional satellite providers, such as Inmarsat and GlobalStar, are facing new competition from many new start-up constellations from vendors like Amazon and SpaceX, which are launching Low Earth Orbit (LEO) satellites.

LEO satellites, though, are costly in the set-up of the constellations as many satellites are required to give the coverage that vendors are offering. However, in the long run, LEO satellites are more cost-effective than the larger traditional satellites for these applications.

The conventional satellite providers will not only have to consider driving their prices down to become more competitive than the newcomers but also be sure they stay relevant within the market.

“Once the market becomes more successful and has matured, the pricing strategies will drop overall, allowing the satellite IoT connectivity options to compete against terrestrial connectivity options,” Sumnall concludes.

from Help Net Security – News

42Crunch new solution allows orgs to automate API security across Kubernetes environments

API security leader and creator of the industry’s first API Firewall – 42Crunch – announced the latest release of its API security platform with full support for Kubernetes environments.

This new solution allows organizations to easily automate API security across Kubernetes environments – enabling the zero-trust architecture needed to protect each microservice, and scale without risk.

The rapid adoption of microservices architectures and Kubernetes lead to proliferation of APIs exposed by these microservices. Developers employ agile practices to quickly iterate on these microservices. Combined, these trends lead to hundreds if not thousands of rapidly changing APIs that modern enterprises often host and need to secure.

Traditional solutions such as Web Application Firewalls (WAF) and API Management tools rely on static rules and policies, and edge protection. While these solutions provide some security functionality within your environment, they still leave the individual microservices vulnerable to API attacks.

Through a fully automated platform, 42Crunch extends security beyond the edge of the enterprise to each individual microservice, protecting them with an ultra-low latency micro API firewall that can be deployed at scale.

42Crunch API firewall is merely 20 MB in size and when deployed in sidecar proxy mode in Kubernetes pods enforces API security with sub-millisecond overhead. This eliminates the manual process of writing and maintaining individual API security policies, and enforces a zero-trust security architecture.

“Since the initial launch of the 42Crunch API Security platform our customers have informed us that edge protection is no longer enough,” says Jacques Declas, CEO and founder of 42Crunch.

“We are excited to make our Kubernetes-native API protection commercially available. Now the teams working on large numbers of microservices can be sure that each and every one of them automatically stays secure throughout its lifecycle.”

In addition, 42Crunch’s unique approach integrates with companies’ DevSecOps pipeline and delivers automated API security across the whole API lifecycle:

  • AUDIT: Run 200+ security audit tests of the OpenAPI specification definition with detailed security scoring to help developers define and strengthen API contract.
  • SCAN: Scan live API endpoints to discover potential vulnerabilities and discrepancies of the API implementation against the API contract.
  • PROTECT: Launch service to protect APIs and apply policies that can be deployed in our lightweight, low-latency micro API firewall.

from Help Net Security – News

Vade Secure’s Auto-Remediate adds automated protection for Office 365 environments

Vade Secure, the global leader in predictive email defense, announced the availability of Auto-Remediate for Vade Secure for Office 365. The new feature extends Vade Secure’s AI-based threat detection and mitigation capabilities, providing MSPs and small businesses with comprehensive, continuous, and automated protection before, during, and after the attack.

Leveraging Vade’s real-time view of emerging global threats from 600 million mailboxes, Auto-Remediate automatically removes any malicious messages from users’ inboxes, mitigating attacks before they disrupt the business.

“As an MSP, we don’t have time to manually find, investigate, and respond to new email threats,” said William Bluford, Vice President at Huntington Technology, a Managed Services Provider in Detroit, MI.

“We need technology that just works and provides a high degree of automation. That’s why we selected Vade Secure for Office 365 in the first place, and it’s why we are looking forward to using Auto-Remediate to further strengthen protection of our customers.”

Earlier this year, Vade Secure released a manual Remediate feature that enables MSPs and admins to remove one or more threats from users’ inboxes with just a click.

Auto-Remediate vastly improves this capability by introducing automation functionality powered by threat intelligence and user feedback from Vade’s 600 million protected mailboxes. Responding to emerging attacks as they occur, Vade Secure’s AI learns from its mistakes and takes immediate action to remove any threats have reached users’ inboxes.

“Email attacks are becoming more dynamic, more persistent and more successful as hackers pinpoint new ways to penetrate Office 365 environments,” said Adrien Gendre, Chief Solution Architect at Vade Secure.

“Vade Secure’s AI engine uses threat intelligence from 600 million mailboxes to continuously learn how to detect more threats. Now, with Auto-Remediate, our engine is learning from its own mistakes and automatically fixing them for users, allowing MSPs and their customers to focus on other priorities.”

from Help Net Security – News