Trapezoid: NIST Firmware Controls for Non-Federal Entities: What You Need to Know

March 15, 2017 ~ hucktech ~ Leave a comment

Trapezoid has a webinar this Thursday on NIST and firmware security:

https://twitter.com/TrapezoidSec/status/841849041214443520

http://nistwebinar.digitaleragroup.com/

Trapezoid on lack of firmware security standards

March 4, 2017March 4, 2017 ~ hucktech ~ Leave a comment

Trapezoid CTO Jose Gonzalez has written a new article on LinkedIn about lack of firmware security in government standards.

[…]What’s the problem? Firmware is powerful code that persists from device restart to restart, sitting below operating systems and driver layers where it can fool anything else on the system – including existing security tools – into thinking everything is working fine. The problem is that very few people are paying attention to protecting the firmware.[…]

Developing a NY DFS Cybersecurity Program? Pay attention to firmware!

https://www.linkedin.com/pulse/developing-ny-dfs-cybersecurity-program-pay-attention-gonzalez

http://articles.trapezoid.com/

Trapezoid

January 2, 2017 ~ hucktech ~ Leave a comment

I did a brief post on Trapezoid a few months ago, and it included a significant error.

Their product is NOT an OEM-centric product, it is a product for enterprises. Earlier I thought that they needed to be integrated at the OEM level, which is not the case.

Trapezoid

Home

If you buy their product, tell them you heard about them via the FirmwareSecurity.com blog. 🙂

ISACA report on firmware-based malware

October 20, 2016 ~ hucktech ~ Leave a comment

Jose Gonzalez from Trapezoid.com brought this to my attention:

I thought you would be interested to see this ISACA report released today. The main findings were covered by Computer Weekly:

“More than half (52%) of the study’s participants who place a priority on security within hardware lifecycle management report at least one incident of malware-infected firmware being introduced into a company system, with 17% of these incidents having a material impact. In contrast, those that do not prioritise security in the hardware lifecycle process have a high rate of unknown malware occurrences (73%). This indicates many vulnerabilities remain undetected and unpatched, creating security risks. This lack of knowledge is having an impact on confidence too, with 71% of respondents in this category (low security priority) feeling unprepared to deal with a cyber attack. To be able to address these weaknesses, the report said organisations need to foster increasing co-operation and communication between IT departments and audit professionals, and establish robust controls for hardware lifecycle management. The study shows that acting on feedback from the auditing teams is key to mitigating risk.”

http://www.computerweekly.com/news/450401249/Most-businesses-vulnerable-to-cyber-attacks-through-firmware-study-shows
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Firmware-Security-Risks-and-Mitigation.aspx

HIPPA and firmware security

September 14, 2016 ~ hucktech ~ Leave a comment

Jose Gonzalez, Trapezoid’s CEO, has a new article on firmware security and HIPPA requirements:

"Firmware Integrity and the HIPAA Security Rule" https://t.co/6uyam9ni0a on @LinkedIn

— vincent zimmer (@vincentzimmer) September 12, 2016

https://www.linkedin.com/pulse/firmware-integrity-hipaa-security-rule-jose-e-gonzalez

Trapezoid

May 20, 2016 ~ hucktech ~ Leave a comment

I recently learned about Trapezoid, a Florida-area company who apparently sells a commercial firmware product. Unclear which platform(s) and what cost, you have to contact them for any useful information.

Trapezoid® Firmware Integrity Verification Engine is the first integrity monitoring solution designed to detect and alert on attacks and malware affecting BIOS and firmware.

Detect: Trapezoid’s patented Marker tagging technology combines hardware specific data and user defined policy attributes to remotely attest to the identity and integrity of the monitored hardware, detect unauthorized changes to firmware, forensically map virtual machines to physical hardware, and define workload and data boundaries.

Analyze: Trapezoid’s Firmware Integrity Verification Engine proactively identifies and analyzes the integrity of physical devices in the IT infrastructure and creates a full audit trail of virtual assets that associated with those devices.

Remediate: Trapezoid integrates with leading security policy management and reporting tools allowing you to incorporate firmware integrity monitoring into your existing security and compliance framework to address unauthorized changes in firmware.

Our patented Trapezoid® Marker and flexible architecture supporting ANY type of firmware also make Trapezoid the ideal first line of firmware defense for OEMs.

The Trapezoid leadership team is comprised of seasoned security and legal professionals from Terremark (now a Verizon company) with extensive experience in incident response, data center security, security operations, cloud security, risk management and compliance.

Home