How likely is it that an enterprise will face a BIOS attack? Is it worth going to all the trouble to secure a network via the new NIST guidelines?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
BIOS attacks have a long history, but have been greatly eclipsed by more general malware and attacks. The early PC BIOS attacks operated by changing the BIOS passwords in order to change the boot sequence on a PC and gain access to a computer, bypassing the installed operating system. These attacks required physical presence and many future attacks on BIOS will still require physical access.
There are attacks that could be performed remotely on the BIOS for which NIST is trying to prevent or minimize the effect with its BIOS security guidelines. New attacks on the BIOS could be launched by circumventing the security of the operating system. Given the number of different types of BIOS, future BIOS attacks may need to be targeted at specific BIOS iterations as mentioned in the NIST BIOS security guidelines. The next-generation UEFI BIOS has many new features like runtime services meant to enhance the overall computing experience, but these features could be used to attack the computer if they are not sufficiently secured. These BIOS attacks might be more difficult to recover from too, since the standard advice of reformatting the hard drive and reinstalling may not completely clean the system.
Securing BIOS is worth the trouble it takes to be included in general hardware drivers and software update programs. Enterprises should purchase hardware with BIOS versions that were developed using the NIST guidelines and then securely configure the BIOS. To accomplish this, a password should be set on the BIOS for making any changes, and the boot process should be set to a specific setting required by the system. A good example of a safe boot would be allowing a system to boot off of the internal hard drive. If your BIOS supports configuration changes while booted to the operating system, you could make these changes a part of a standard image. By using these settings, a securely configured computer, and installing signed BIOS updates when available as a part of a standard patch management cycle, the risk of future attacks to BIOS and their systems should be minimized.
This was first published in April 2012