Do you think vulnerabilities below the operating system (in firmware, BIOS, drivers, etc.) should be a concern in your industry?

1.3k views4 Upvotes10 Comments

CISO in Finance (non-banking), 51 - 200 employees
I used to do threat intelligence at Intel. So that was obviously an area of focus for us. At the CEA it's definitely a different beast. Really we provide earthquake insurance to anyone who owns property in California. We do have sensitive data and we do have things that we definitely have to protect, like data that can't go between private insurers that we work with. But from what I've been keeping an eye on, I think a lot of it is nation state, and honestly we're just not that big of a target. I mean if they want our actuarial tables, I don't think they need to go through the work to steal that from us.

But it is definitely something I'm keeping an eye on and I'm kind of just waiting, just looking at it from a risk-based approach of like, "Okay, when does it hit that tipping point to where we really need to start doing things and taking it seriously?" And honestly, I'm doing that by gut. I mean, I have some experience there, but it's not something I could define as like what the tipping point is and when we'd need to start jumping in pretty heavily on it. So that's where we are at the CEA.
3 2 Replies
Board Member, Advisor, Executive Coach in Software, Self-employed

So maybe I paraphrase this, an asteroid might strike the earth where you're sitting and create an extinction event from it. But there's nothing you can do relative to poking that asteroid out of the way. So other than just being aware of it, there aren’t actions to take.

CISO in Finance (non-banking), 51 - 200 employees

No, that's kind of it. And I've engaged with other execs about how things are progressing and what they're seeing. But again, when I look at it from a risk-based approach from the CEA specifically, we're not that valuable as a target for people that are willing to put in that kind of work or resources. I would be actively looking at it and paying a lot more attention if I was somewhere that had real trade-secret type information. I would actively be looking at solutions and what becomes available over time. It has changed and there has been more activity today then there was 10 years ago. Definitely. And more solutions are becoming available.

CISO in Software, 51 - 200 employees
I agree Kimberley. I think you’re right that you don’t need to worry about it in relation to other larger risks. We have controls in place or backups in place for a lot of the things that you are dealing with.
CISO in Software, 51 - 200 employees
I think it's very industry dependent, and that's okay. I think that's not necessarily a bad thing. And it depends on where you're talking about it too. Are you talking about IOT networks, which can potentially impact other people, where you are now becoming part of the problem? If you're having an IOT network and you're working on connected cars, you need to be thinking about this. You need to be worried about this. And I think that there are some solutions there. Maybe not bulletproof, but if you look at the Azure sphere or what Amazon is doing, you rely on somebody who has the expertise and the knowledge and the kind of the weight to do it. If you are Joe Schmoe Manufacturing, you should not be hiring IT people to build your own firmware. You're going to have a bad day. You should be relying on the experts, and it might cost you a little bit more.
Board Member, Advisor, Executive Coach in Software, Self-employed
I think broadly it's an issue that doesn't get enough discussion because of all the other things above the operating system that we're all drowning in. In the context of a security company   like some  like CrowdStrike, or even a Cymatec, mcafee, zscaler, I'd be worrying about a this alot. I really do think it has substantial not only individual company or organization implications, but also societal implications when that gets weaponized in that way at some point. I just don't know when, but I imagine it in the near future. Imagine a ransomware at a firmware level, good luck recovering the system ever. And imagine that in a manufacturing environment, imagine a point of sale system, imagine it in the hospital.
CISO in Education, 1,001 - 5,000 employees
Our computing environments are very commodity driven. We set up contracts with the manufacturer and they deliver our servers and our desktops and laptops, because we buy so much volume. And it turns over every three or four years. And so when Spectre and Meltdown came out a couple of years ago our security team, we looked at each other and we're like, "Do you know what we're supposed to do? What are we doing here?" It turned out mostly to be a nonevent for us. And so I think from a security practitioner in a higher ed space, we have probably a thousand other things and not enough budget to do all of those things. We're just mostly struggling to keep our heads above the water and just doing the basics.
3 1 Reply
General Partner in Software, 2 - 10 employees

Take a look at Eclypsium. Their patch mgmt at scale would help at larger footprint of devices (desktops / laptops / servers)

ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
💯 should absolutely be a concern.
Director of IT in Manufacturing, Self-employed
Significant concern for electric utilities as exploits aren’t just feasible, they been seen in industrial controls.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41.6k views131 Upvotes319 Comments

Cyber insurance with ransomware coverage44%

Law enforcement contact(s)44%

Ransomware response plan60%

Ransomware task force/team38%

Bitcoin account for ransomware payments15%

Disaster recovery site33%

Other (comment below)1%