Hardware security is often the elephant in the room in the security world. The majority of the technology and hardware we use is difficult to trace, and therefore impossible to trust.
The most important question to ask on a global level before crafting a security strategy is —why does it matter? Hardware breaches are difficult to implement, as they have a physical component and often require both planning and a bit of luck, but once a device’s hardware has been hacked it is incredibly vulnerable.
The most common fallouts from hardware breaches include loss of sensitive data, by far the most common problem and present in over half of the cases according to this report; economic losses due to system downtime; and outages and other problems that affect customer-facing systems. Another issue of course beyond exposure of sensitive data is irreparable harm to your organization’s brand or worse potential liabilities or lawsuits. N The recent Verkada breach which exposed hundreds live feeds from video surveillance cameras inside schools, psychiatric hospitals and offices was, perhaps, the biggest breach that made national news.
The bottom line is that hardware breaches cost businesses time, money, and that priceless currency—customer relationships.
But can hardware breaches really happen to a business? In the same report, of the 300 people surveyed, 63% of organizations had experienced at least one data breach in the past year due to a hardware security vulnerability. And this type of behavior is far from a Hollywood movie scenario—as anyone who remembers the NSA documents that surfaced in 2014 of CISCO routers getting “upgraded” with beacon implants before continuing on their shipping route.
Currently, we live in a sort of naïvely hopeful place, where we trust businesses like Apple, Intel, and other hardware manufacturers to oversee the process to keep us secure. However, in the day and age we live in, where everything is global and much of it is made in China, one of our only hopes to truly secure hardware would be to create a series of laws and regulations, an accompanying governing body, and set them loose across the world. Which is a very costly proposition.
Manufacturers of hardware also have a big portion of the responsibility on their shoulders. Their principal engineers should get a crash course in security to up their game, as we have seen examples of hardware breaches that target this less-sophisticated group that has front-line access to hardware.
It is important to note that a company’s security policy is just as important as an individual stance. Without closing the loop, organizations also risk dangerous firmware breaches, such as the newly discovered bug affecting firmware in SonicWall’s SMA 100 mobile networking gear. A single threat actor was able to compromise the company and gain administrator-level privileges, and then subsequently use a remote-code execution (RCE) on networks.
The real solution to both of these issues lies in an increasingly popular security standpoint: zero trust. In my opinion, deploying zero-trust principles across an organization is our only hope as Chief Security Officers (CSOs) and security teams against the potential threats of hardware breaches. Not to mention, it’s just good practice in these increasingly digital times.
Part of a zero-trust strategy consists of fortifying your digital properties with various layers of security, which need to be constantly communicating and scanning each other, the network, and users. If employed and layered strategically, tools like deception can potentially catch otherwise impossible-to-spot hardware breaches.
A client my team worked with comes to mind. This client bought a bunch of spotlights to be connected to a network and programmed. Once the installation was complete, the deception assets we had deployed on their network began to issue alerts. Our deception platform detected that the lights were trying to compromise all the machines in the network. If it weren’t for the high-fidelity nature of the alerts from our deception tools, these warnings would have likely been lost in a sea of pings and notifications. We went to the vendor, based out of China, who said the spotlights had been infected by malware accidentally, which of course could very easily be true, but could just as easily not be.
When hardware is breached, we lose control over what it does, but we retain control over what the system can do. With a zero-trust plan, you can establish rules that allow hardware pieces to communicate with a limited number of other points in the network. That way, any motion that breaks these rules will trigger a very high-fidelity alert, enabling you to see what is going on and locate the offending piece of hardware.
To mitigate risks of a hardware breach, security teams should focus on the following:
- An analysis of the organizations surfaces, infrastructure and data, the end result being a directory of these assets that shows the information flows.
- Create micro-perimeters that separate machines and networks, which can help minimize the success and potential risk of any bad hardware.
- Always work on least privilege bases as part of a wider zero-trust strategy.
- Testing hardware against a known good machine for outputs from the CPU and other signs that could betray a trojan.
- Employ in-network deception technology, which is unparalleled for detecting lateral movement or unauthorized actions on behalf of hardware.
- Continuously monitor the network, investigating any suspicious activity or triggered alerts.
- Stay current on the latest movements by nation-state threat actors, and make moves to protect network systems against their techniques.
Though the traditional focus has been on protecting internal systems and networks, a complete cybersecurity posture requires us to do more, everywhere from our hardware to our cloud systems. Threat actors are targeting businesses globally, and a zero-trust strategy has the potential to be one of the only solutions for the growing risk of hardware security breaches.