Hardware vs. Software: Where Does Security Start?

jack-intel · 2025-03-19T21:42:16.051Z

The strength of an architecture depends on the strength of its foundations. As threats evolve, many orgs are adopting combinations of hardware and software to protect against them. What is the balance in your IT environment between hardware and software security? Are you utilizing below-the-OS protection parameters such as BIOS and firmware security?

Drop your best practices in the comments!

#IAmIntel

jameswalker20 · 2025-03-20T12:44:47.041Z

There is no versus. Security is an integral part of both.

Software:

Program concepts should have security as a forethought instead of an afterthought.
Code should be written as tightly as possible no backdoors, or spaghetti.
Code should be documented. I have been auditing firewall rulesets and have given my assessments based on how the rule is written. Then admins say, “It actually does this.” I reply, “Instead of leaving the description blank, put that in there.”
Software inputs should be coded to reject incorrect data and sanitize good data.
Data testing should include bad, correct, and fuzzed (as a start) to test acceptance.
Test in the lab and not in production.
Must use system resources properly and not run amuck.

Hardware:

Hardware should be from reliable and respected purveyors.
Understand and secure the supply chain. Hamas learned this lesson when their cell phones blew up.
As much as I dislike the TPM chip, it has a place in security.
Test in the lab and not in production.
Full Disk Encryption (FDE)
Build an image and test it thoroughly. Once it passes muster, that is the base image for subsequent machines.
Have a list of certified applications. Designations could be: Preferred, Accepted, Discouraged, and Unacceptable.

These are off the top of my head and are in no way exhaustive.

Testing200×251 43 KB

Jonathan-Johnson · 2025-03-20T15:44:56.155Z

Security starts with the user.

But as for hardware vs. software, I’m of the opinion that when software detects something malicious, it’s already in your network and has already achieved a level of compromise.

So it’s imperative to have security at the border, which implies a hardware appliance with security capabilities such as web content filtering and application protocol filtering.

But stuff will get past (often because users don’t abide best practices) so software solutions on the endpoint are also necessary

These software solutions need to go beyond mere anti-malware protection; you need active monitoring of event logs to detect anomalies (SIEM - Security Information and Event Management) and you need monitoring of processes to detect anomalous behavior with active response (EDR - Endpoint Detection and Response) to limit the damage caused by malicious activity.

As for endpoint hardware security, that still seems a little bit “wild west”. It feels like it’s too easy to manipulate TPM or bypass it entirely. Solutions for centrally managing and monitoring TPM and formware — if they exist — don’t seem to be well-advertised. There’s Intel vPro, which I think might be some kind of a solution, but all the advertising is executive-level blather that doesn’t really explain what it actually does.

jack-intel · 2025-03-31T22:52:32.794Z

Good point. Security-always!

#IAmIntel

jack-intel · 2025-03-31T22:59:13.636Z

I hear you. If malware or an attack has reached the endpoint, then it might be time for damage control. Intel vPro is a platform that gives you remote management, built-in security that resides in the hardware, and optimizations for business performance.

#IAmIntel

adrian_ych · 2025-04-01T06:18:59.252Z

Jack (Intel):

What is the balance in your IT environment between hardware and software security?

The simple answer : depends on your budget & what business is the Org in ?

chris7979 · 2025-04-07T21:14:15.856Z

Security should start at layer 1. Physical this means cabling, hardware, etc. Typically this is a network device but often you cannot control that security say you are on a public network. My company has opted for intel-vpro based chips/laptops because the additional security features you get that include malware/ransomware protection, trusted platform module for windows and 2.0, threat detection and more. I found this on intel’s site. Our company leads every conversation with security and this is an important part of that discussion.

https://www.intel.la/content/www/xl/es/business/enterprise-computers/resources/hardware-security.html

jimender2 · 2025-04-08T00:39:43.391Z

I have been using BIOS passwords and utilizing tools such as Intel vPro. The vPro helps me push out TESTED bios patches and it helps me to manage inventory by looking at the version of the BIOS on them. And my favorite part, I can remotely access the BIOS and push isos to the computers without leaving my seat.

I think Intel does need to have a talk with my doctor though. Its good for my mental health but not my physical (since I dont leave my chair anymore…).

mike-action1 · 2025-04-08T17:03:55.454Z

Lol, I heard it put, everyone has a test environment, some people also have the luxury of a separate production environment!

IMHO, Security starts with planning and policy. NO matter what you are doing, if you are not doing it according to a policy, you are likely not doing something you should.