Computers today use the Basic Input/Output System (BIOS) firmware to initialize the hardware process and then turn over control to the operating system. Therefore, any malware that affects the BIOS is a serious threat to the entire computer system.
To protect computers from malicious software, IT organizations must also attempt to secure the BIOS firmware.
The National Institute of Standards and Technology (NIST) has created a free document that details computer BIOS security. You can obtain a free copy in our IT Downloads area under the title, “BIOS Protection Guidelines for Servers.”
In the PDF, author Andrew Regenscheid of the Computer Security Division Information Technology Laboratory at NIST breaks the topic into several sections including:
- BIOS Security Principles
- Security Guidelines by Update Mechanism
- Guidelines for Service Processors
Regenscheid begins by explaining that his documentation covers security for server-class systems, which includes “BIOS protection for basic, managed and blade servers.” He identifies his audience as IT security pros who manage server security within an enterprise environment.
The documentation includes detailed background on the system BIOS and different server architectures. It then delves into explanations of BIOS update mechanisms. In this section, Regenscheid discusses how this publication will help IT security professionals to secure BIOS updates “so that only authentic, authorized BIOS images are written to BIOS flash memory, a process sometimes referred to as ‘flashing’ the image.”
Once he’s covered general BIOS information, the author moves on to explain possible threats to the system BIOS, such as malware-based updates that can be executed without authentication, or hacks to control the Service Processor via isolated communications channels.
After the basic introductory information, Regenscheid finally gets to the section on BIOS security principles. According to the author:
This section enumerates the requirements for servers to assert the security principles for BIOS update. The principles use the terms authorize and authenticate in the following context. Authentication of an image assures the integrity and origin of the image. It is typically rooted at the firmware or server manufacturer. Authentication is performed cryptographically using digital signatures. Authorization is permission for an update to be performed by the system. Authorization of updates is typically rooted in the server administrator.
Of course, the author says that readers of this document should have “at least a basic understanding of system and network security.” The text is a bit dry and dense, but the concepts presented are solid and essential for BIOS security.