Do you think vulnerabilities below the operating system (in firmware, BIOS, drivers, etc.) should be a concern in your industry?

I used to do threat intelligence at Intel. So that was obviously an area of focus for us. At the CEA it's definitely a different beast. Really we provide earthquake insurance to anyone who owns property in California. We do have sensitive data and we do have things that we definitely have to protect, like data that can't go between private insurers that we work with. But from what I've been keeping an eye on, I think a lot of it is nation state, and honestly we're just not that big of a target. I mean if they want our actuarial tables, I don't think they need to go through the work to steal that from us. But it is definitely something I'm keeping an eye on and I'm kind of just waiting, just looking at it from a risk-based approach of like, "Okay, when does it hit that tipping point to where we really need to start doing things and taking it seriously?" And honestly, I'm doing that by gut. I mean, I have some experience there, but it's not something I could define as like what the tipping point is and when we'd need to start jumping in pretty heavily on it. So that's where we are at the CEA.

56 views
6 comments
4 upvotes
Related Tags
Anonymous Author
I used to do threat intelligence at Intel. So that was obviously an area of focus for us. At the CEA it's definitely a different beast. Really we provide earthquake insurance to anyone who owns property in California. We do have sensitive data and we do have things that we definitely have to protect, like data that can't go between private insurers that we work with. But from what I've been keeping an eye on, I think a lot of it is nation state, and honestly we're just not that big of a target. I mean if they want our actuarial tables, I don't think they need to go through the work to steal that from us. But it is definitely something I'm keeping an eye on and I'm kind of just waiting, just looking at it from a risk-based approach of like, "Okay, when does it hit that tipping point to where we really need to start doing things and taking it seriously?" And honestly, I'm doing that by gut. I mean, I have some experience there, but it's not something I could define as like what the tipping point is and when we'd need to start jumping in pretty heavily on it. So that's where we are at the CEA.
2 upvotes
Anonymous Author
I agree Kimberley. I think you’re right that you don’t need to worry about it in relation to other larger risks. We have controls in place or backups in place for a lot of the things that you are dealing with.
0 upvotes
Anonymous Author
I think it's very industry dependent, and that's okay. I think that's not necessarily a bad thing. And it depends on where you're talking about it too. Are you talking about IOT networks, which can potentially impact other people, where you are now becoming part of the problem? If you're having an IOT network and you're working on connected cars, you need to be thinking about this. You need to be worried about this. And I think that there are some solutions there. Maybe not bulletproof, but if you look at the Azure sphere or what Amazon is doing, you rely on somebody who has the expertise and the knowledge and the kind of the weight to do it. If you are Joe Schmoe Manufacturing, you should not be hiring IT people to build your own firmware. You're going to have a bad day. You should be relying on the experts, and it might cost you a little bit more.
0 upvotes
Anonymous Author
I think broadly it's an issue that doesn't get enough discussion because of all the other things above the operating system that we're all drowning in. In the context of a security company   like some  like CrowdStrike, or even a Cymatec, mcafee, zscaler, I'd be worrying about a this alot. I really do think it has substantial not only individual company or organization implications, but also societal implications when that gets weaponized in that way at some point. I just don't know when, but I imagine it in the near future. Imagine a ransomware at a firmware level, good luck recovering the system ever. And imagine that in a manufacturing environment, imagine a point of sale system, imagine it in the hospital.
0 upvotes
Anonymous Author
Our computing environments are very commodity driven. We set up contracts with the manufacturer and they deliver our servers and our desktops and laptops, because we buy so much volume. And it turns over every three or four years. And so when Spectre and Meltdown came out a couple of years ago our security team, we looked at each other and we're like, "Do you know what we're supposed to do? What are we doing here?" It turned out mostly to be a nonevent for us. And so I think from a security practitioner in a higher ed space, we have probably a thousand other things and not enough budget to do all of those things. We're just mostly struggling to keep our heads above the water and just doing the basics.
2 upvotes
Anonymous Author
💯 should absolutely be a concern.
3 upvotes