An opportunity is emerging for hackers to compromise firmware within the supply chain, according to HP Wolf Security, which said that its clients are fearing compromise at levels as low as device firmware.
The survey, based on a poll of 803 IT professionals, asked what the key challenges and threats for security were in terms of priority. By and large, the polls found that attacks in the supply chain and at the low level were front and center.
“Buying PCs, laptops or printers is a security decision with long-term impact on an organization’s endpoint infrastructure,” said Boris Balacheff, chief technologist for security research and innovation at HP Inc.
“The prioritization, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices — from increased risk exposure, to driving up costs or negative user experience — if security and manageability requirements are set too low compared to the available state of the art.”
In practice, this would allow attackers to get upstream and compromise an equipment or service provider to then gain easy access to clients who never bothered to check their hardware upon installation.
Amongst those polled, 52% said they do not collaborate with their colleagues to verify the security and integrity of the hardware they purchase. This lack of collaboration leaves an opportunity for attackers to slip through the cracks of organizational security policy and get a backdoor into multiple companies simply by hacking a service provider.
What is worse, organizations seem to be well aware of the risks that they face within their supplies and services chain. HP Wolf said 48% of those they polled agreed that they will agree to the terms of providers to the extent that their security risk is akin to “lambs to the slaughter.”
As an alternative to this sort of blind exposure, HP Wolf said that IT decision makers should add a grain or two of salt to the sales pitches and instead ask their service providers to serve up some technical documentation that can outline where their hardware is coming from and what sort of audits can verify that their goods have not been tampered with.
“Organizations need hard evidence — technical briefings, detailed documentation, regular audits and a rigorous validation process to ensure security demands are being met, and devices can be securely and efficiently onboarded,” said Michael Heywood, HP Inc business information security officer for supply chain security.
