In light of the growing threat of BIOS attacks, we would like to institute a BIOS management lifecycle. Can we use the same basic framework BIOS patches and BIOS updates that we use to manage software patch updates, or are some changes required?
A computer’s Basic Input/Output System (BIOS) handles hardware initialization and the process of handing control to the operating system when a computer is started. As the first code executed during this boot process, the system BIOS is implicitly trusted by the computer’s hardware and software components. This makes it both a critical part of a secure system and a target for attack. The growing use of BIOS based on the newest BIOS framework, Unified Extensible Firmware Interface (UEFI), makes it easier for hackers to automate attacks as more computers are using a common specification.
The BIOS is developed and installed on computer motherboards by both original equipment manufacturers (OEMs) and independent BIOS vendors. It allows updates to fix bugs, patch vulnerabilities and support new hardware. Any unauthorized modification of the BIOS constitutes a significant threat because of its unique and privileged position within a computer’s architecture. Attacks can lead to a persistent malware presence if the BIOS is infected or create a permanent denial of service if it becomes corrupted.
An organization can use its current software patch management framework to manage its BIOS patch and BIOS update lifecycle as long as it is robust. It is essential that a common BIOS configuration baseline for each platform is established and documented, and the approved version and configuration settings are identified. If allowed, enable integrity protection and bypass-protection features and enforce password and device boot-order policies. Also, organizations should maintain a master image for each approved system BIOS in a secure offline storage area. This will help an organization maintain a consistent, known starting posture and facilitate rollback or reinstallation if it is ever necessary.
Updates should be performed using the change-management process with the new approved version documented in the configuration plan. The process for verifying the authenticity and integrity of any BIOS updates will depend on the level of security an organization requires. Most organizations will rely upon the manufacturer as the source for authenticated BIOS updates. However, if the platform has a configurable Root of Trust for Update (RTU), an organization could digitally countersign approved updates and keep the private signing key under multi-party control.
Organizations should periodically carry out checks to confirm BIOS policies, processes and procedures are being properly followed. Any unexpected or unauthorized modifications that are detected should be investigated, documented and remediated as part of the incident response procedures. Physical access to systems should also be controlled to protect against individuals modifying the BIOS.
Prior to disposing of motherboards, the BIOS and configuration data should be restored to the manufacturer’s default settings. Any sensitive data should also be removed or destroyed, particularly passwords and keys from the key store. If the BIOS includes any organization-specific customizations, a vendor-provided BIOS image should be reinstalled. These precautions reduce the chances of accidental data leakage when a motherboard is retired.
This was first published in January 2012