Full Report
HP Wolf reveals that 79% of IT security decision makers are lacking in crucial hardware and firmware expertise
Analysis Summary
# Main Topic
Widespread lack of hardware and firmware security expertise among IT Security Decision Makers (ITSDMs), with 79% admitting to major knowledge gaps, leading to organizational risks across the entire device lifecycle (procurement, onboarding, monitoring, and disposal).
## Key Points
- 79% of ITSDMs surveyed admit to lacking crucial knowledge in hardware and firmware security.
- 52% of ITSDMs report that procurement teams rarely collaborate with IT/security to verify hardware and firmware security claims from suppliers.
- 33% of organizations experienced hardware failing a cybersecurity audit in the last five years, leading to contract terminations for 18% of those.
- BIOS/UEFI security is weak: 53% of ITSDMs stated BIOS passwords are shared, overused, or insufficiently strong, with the same percentage rarely changing these credentials throughout a device's life.
- Maintenance and patching delays are critical: Over 60% of ITSDMs delay firmware updates, increasing exposure, especially as AI accelerates vulnerability exploitation.
- Detection difficulty: 63% of ITSDMs report "multiple blind spots" when investigating hardware/firmware vulnerabilities, and 60% find detection and remediation of hardware/firmware threats impossible.
- Device disposal/sustainability is impacted: 59% find sanitizing older devices too difficult due to security concerns, leading to unnecessary destruction of salvageable hardware.
- **Affected Devices:** PCs, laptops, and printers.
- **Scope of Employees Affected:** Survey included 6000 office workers and 800 ITSDMs across the US, Canada, UK, Japan, Germany, and France.
## Threat Actors
- No specific threat actors or state-sponsored groups were detailed in relation to the *lack* of internal expertise causing risk.
- The report implies that motivated threat actors (including those leveraging faster AI tools) could capitalize on the documented visibility gaps and outdated firmware.
## TTPs
- **Procurement Weakness:** Reliance on unverified supplier security claims.
- **Configuration Management Failure:** Poor management of BIOS/UEFI credentials.
- **Patch Management Failure:** Failure to apply firmware updates promptly (delayed by over 60% of organizations).
- **Endpoint Monitoring Gaps:** Existence of significant "blind spots" rendering comprehensive vulnerability investigation difficult.
- **Supply Chain Risk:** Failure to adequately vet hardware/firmware security during procurement.
## Affected Systems
- Endpoint hardware platforms: PCs, laptops, and printers.
- Underlying system software: Firmware and BIOS configurations.
## Mitigations
- **Procurement:** Prioritize hardware and firmware security requirements during vendor selection and procurement processes.
- **Configuration Hardening:** Ensure BIOS passwords are strong, unique, and regularly rotated across the device lifespan.
- **Vulnerability Management:** Increase maturity in managing hardware and firmware across the entire device lifecycle, including promptly applying firmware updates.
- **Visibility and Detection:** Organizations must improve capabilities for detecting and remediating threats specific to the hardware and firmware layers, addressing current "blind spots."
- **Lifecycle Management:** Establish secure and manageable processes for device sanitization before redeployment or donation to avoid data exposure from orphaned devices.
## Conclusion
The pervasive lack of specialized hardware and firmware knowledge among IT security leadership segments the entire device ecosystem as a critical, yet poorly managed, attack surface. The immediate priority must be integrating hardware security requirements into procurement and developing mature, continuous processes for managing firmware integrity and patching across all assets, as current operational blind spots actively invite exploitation.
***
# Morning News Roll-up {12 Dec 2024}
## Overview
This summary highlights key findings from recent cyber security publications, focusing on infrastructure security gaps and reported cyber incidents.
## Top Stories
- Summary: 79% of IT and security decision makers admit to major gaps in hardware and firmware knowledge, leading to configuration weaknesses (e.g., weak BIOS passwords) and high failure rates in hardware security audits.
- Source: Infosecurity Magazine (Analysis based on HP Wolf Report)
- Summary: Nation-state actors have been reported as actively targeting hardware supply chains, indicating external threats are exploiting the internal security knowledge gaps identified in organizational hardware defenses.
- Source: Infosecurity Magazine (Dated 5 Aug 2024)
- Summary: T-Mobile confirmed an incident involving the "Salt Typhoon" group but asserted that the attack did not result in access to customer data, suggesting a containment of a potentially high-impact threat actor.
- Source: Infosecurity Magazine (Dated 28 Nov 2024)