Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

3 ways to prevent firmware attacks without replacing systems

Feature
Apr 28, 20215 mins
CyberattacksNetwork SecurityWindows Security

A firmware message appears on a circuit board.
Credit: Atakan / Getty Images

A recent security post warned that firmware attacks are on the rise. They cited a survey of 1,000 cybersecurity decision makers at enterprises across multiple industries in the UK, US, Germany, Japan, and China finding that that 80% of firms have experienced at least one firmware attack in the past two years. However, only 29% of security budgets has been allocated to protect firmware. The solution for this, according to Microsoft, is secured-core PCs that provide “powerhouse protection out of the box, with capabilities such as virtualization-based security, Credential Guard, and kernel DMA protection.”

I’d argue that not only are these types of protections not needed for all workstations, that’s not where we should be focusing our resources. It might not even be why firmware updates are important. In addition, IT administrators, when asked what firmware attacks they’ve dealt with in the past year, say they think in terms of firewalls or VPN software that needed to be patched and not necessarily firmware of the computers in their network.

While some malware has used firmware vulnerabilities to gain network access, it’s usually combined with other attacks. For example, the Robbinhood ransomware used brute-forcing Remote Desktop Protocol (RDP) to gain access to the network. Once they had a foothold, they used a vulnerable kernel driver from Gigabyte.

Put your security budget where you will get the most bang for the buck. If you spend resources purchasing computers that have secure firmware, you will miss out on many more affordable solutions that can provide security fixes sooner versus later. Focus on risk-based security solutions, not those that protect against unusual attacks. Here are a few to consider:

Block files with Office macros

Blocking files from the internet that include Office macros is easy and fast to implement and addresses a common risk. This option is in the modern versions of Office.

Enforce this setting in Group Policy with these steps:

  1. In a domain setting, download the Group Policy administrative templates from the web.
  2. Open the Group Policy Management Console.
  3. Right-click the Group Policy object you want to configure and select “Edit”.
  4. In the Group Policy Management Editor, go to “User configuration”.
  5. Click on “Administrative templates”.
  6. Go to “Microsoft Word 2016”.
  7. Go to “Word options”.
  8. Go to “Security”.
  9. Go to “Trust Center”.
  10. Open “Block macros from running in Office files” from the onternet setting to configure and enable it.

If a division of your office needs macros, you can set these Group Policy settings to apply to a specific organizational unit and not impact the entire firm. Analyzing how the “mark of the web” feature works is a key way that you can tailor your security posture to work more efficiently. Ensure that your network is designed to respect these settings. Make sure your developers fully understand the implications of disabling or adjusting the mark of the web status of files.

Set up attack surface reduction rules

Use attack surface reduction (ASR) rules in Windows 10 to protect workstations. Admins often do not take advantage of ASR rules, which can provide additional protection from attackers. Several ASR rules will probably not impact the daily lives of your users. For example, the ASR rule “Block all Office applications from creating child processes” will not cause problems for most users.

Keep firmware and drivers updated

You still need solutions to deploy firmware, but not for the reason you might think. As Windows 10 feature releases are deployed, they often demand newer drivers especially for video or audio. Without the appropriate video or audio drivers, the feature release upgrade process is often blocked.

Then there is the issue of vulnerable drivers. Attackers will use any means to perform lateral movement or elevate privileges once they gain access to systems. Even for existing systems, having the ability to manage and maintain drivers is a key need. Microsoft has recently moved the offering of drivers from being outside of the operating system to now a part of the Windows update process.

If you’ve been a network administrator for years, you might be a bit jaded and not willing to approve drivers especially through the Windows Software Update Services (WSUS) process. Many an administrator has tales of woe where a Windows-supplied driver will not properly work, requiring a roll-back off the system.

Some computer vendors provide applications to monitor for and install firmware and driver updates. I have become comfortable letting these vendor applications offer and install drivers. I’m still in the process of moving to that same level of comfort with drivers offered to me inside the Windows update process.

At Ignite, Microsoft announced it will be testing a new process to deploy drivers to your systems. It will open as a private preview and provide a new deployment service to Intune and the Microsoft Graph in second half of 2021. Configuration Manager admins will benefit from what they are announcing without changing the way that you service Windows updates with WSUS.

Microsoft is urging those who are interested in finding out more to sign up for their preview program. Sign up at the engineering neighborhood in the Windows Customer Connection Program to stay informed. Log in and select the “Driver and Firmware Updates Private Preview” option in question 5 to find out more. Even if you don’t participate in the public preview or beta, this is a great way to keep informed.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author