BIOS Attacks and Four Other Security Trends from VMworld 2019

Cyberattacks on state and local governments in the U.S. have been making the news lately, but what's coming down the road? Here are five security trends from the annual conference in San Francisco this week.

by / August 30, 2019
VMworld 2019 attendees walk down Howard Street in San Francisco. Ben Miller/Government Technology

SAN FRANCISCO — Cybersecurity has been issue No. 1 for government IT leaders for years now, but it’s become an especially urgent need this year as attacks have crippled Baltimore, prompted cities in Florida to pay ransoms and demonstrated how groups of cities can be targeted en masse.

But the tools and practices designed to protect against hackers, as well as the damage they can cause, continue getting better, giving technology leaders better visibility, prevention and response capabilities.

Security was heavily discussed at the VMworld 2019 conference this week. Here are four trends discussed at the gathering.

BIOS Attacks

Tom Ricoy, director of cybersecurity product management for Dell, told conference-goers that a new attack vector has begun to rear its head: BIOS.

“This was all theory years ago. We had proofs of concept, but ... could we actually do this? And [now] we have three known [BIOS] attacks,” Ricoy said.

BIOS, which is computer firmware that most users simply ignore, usually goes unprotected by passwords, Ricoy said. Even when IT sets a BIOS password, it’s often the same simple password on every machine.

The problem is that BIOS attacks are even more likely to go unnoticed than other types of breaches. These types of attack, which can allow hackers to disable secure booting, downgrade the BIOS to a vulnerable version, wipe data and ransom a device, were unheard of until about a year ago.

“There are 300 settings in BIOS that you can configure … having your BIOS configured properly is really important,” Ricoy said.

Dell has developed BIOS protection solutions that will auto-generate complex BIOS passwords for machines on a network that expire after every use, as well as watch the BIOS for any unexpected changes. 

“You can check it either at the boot time or any time you want, and we integrated that with VMware,” Ricoy said.

Darryl Polk, CIO for the city of Rancho Cucamonga, Calif., agreed that IT hasn’t paid much attention over the years to BIOS as a threat vector.

“I think it’s an area that nobody looked at because nobody had considered that to be where my threat’s gonna land,” he said. “And I think that’s part of the problem, is that because you’re reactionary, you tend to look at where threats have landed, instead of proactively looking at where they could land.”

Endpoint Protection

One of VMware’s biggest announcements at the conference was its acquisition of Carbon Black, an endpoint security firm it already had a close relationship with. Now, the company is working Carbon Black into its products, which are widely used in government for virtualization, cloud migration and more.

Shikha Mittal, VMware’s director of product management, gave a demonstration of how the technology fits in with the digital workspace platform Workspace ONE. As employees go about their business, Carbon Black can flag suspicious traffic and raise a user’s risk score so IT knows where they need to respond.

Mittal said this can help organizations truly welcome employees’ devices without sacrificing security.

“[Delta Airlines has] been using Workspace ONE for enterprise-owned devices to manage apps … but now they’re using Workspace ONE to manage a homegrown app to book travel for all Delta employees, using any device that they can bring,” she said. “So really, this is about app access on any device, anywhere.” 

Vulnerability Prioritization

Another announcement VMware made was new vulnerability management capabilities in its application security product AppDefense.

The changes mean that rather than doing regular vulnerability scans that result in lists of thousands of potential fixes, AppDefense will continuously look for vulnerabilities. It will also prioritize those vulnerabilities based on multiple factors.

“There’s no more scans … it’s actually built right into the platform, it’s continuously monitoring for change and for vulnerabilities inside the workload, and it’s not just providing you with a list of things based on the CVE scores,” said Tom Corn, senior vice president and general manager of security products for VMware. “It’s not just providing you with a long list. What we’re doing is we’ve built into our app verification cloud the intelligence to see which vulnerabilities have exploits, how easy these exploits are to execute on, so we can say … these are the ones that really matter to you.”

Improving Disaster Recovery

Should a cyberattack force an organization to failover, it might face unexpected problems with the plans it set up in such an event. That’s because, in a siloed organization, it’s difficult to test how various technologies will behave.

“[With disaster recovery] that’s the main challenge, you have so many products and you’re depending on some luck to make it work for you, and it’s hard for everybody,” said Simon Long, a senior solutions architect with Datrium.

This year, Datrium introduced a product called ControlShift, a DR orchestration application that aims to address the problem by continually checking runbooks for compliance with IT policies in the event of a failover. That way, IT can address problems long before a failover takes place.

“This is something that’s very powerful to have, because it gives you that reassurance that you know it’s going to function,” Long said.

Security Automation

The International Information System Security Certification Consortium projects that the world will have a cybersecurity workforce shortage of almost 2 million by 2022.

But filling that gap is not all about training more people, said Matt Van Syckle, chief technology officer for the state of Montana.

“Everyone’s heard of the cybersecurity staff shortage that exists in the nation, and I think if you look at it, we can’t solve that by just more and more training, adding more and more staff. We also have to … decrease the workload that staff needs to do and automate as much as we can,” Van Syckle said. “That’s automation in infrastructure [and] automation in security response.”

That automation might come from artificial intelligence or it might come from manual scripting. That is, he said, IT can start working more efficiently by using data to identify its most common security events and address those — when the response is almost always going to be the same — with automatic runbooks.

“It can be very product and vendor agnostic. You just look at all of your products and, say, if you can automate the top three security events that happen, you can decrease your staff workload by 80 percent,” he said. “You don’t automate the things that happen once every year. You automate the stuff that on average happens once or twice a day. Automate that, and then you can have the staff focus on the things that happen with manual response once a year.”

Ben Miller Associate Editor of GT Data and Business

Ben Miller is the associate editor of data and business for Government Technology. His reporting experience includes breaking news, business, community features and technical subjects. He holds a Bachelor’s degree in journalism from the Reynolds School of Journalism at the University of Nevada, Reno, and lives in Sacramento, Calif.


Platforms & Programs