New BIOS security standards aimed at fighting rootkit attacks

NIST sets new security guidelines for updating firmware

There's a growing threat of attacks on computer basic input/output system (BIOS) firmware, and to deter it, the National Institute of Standards and Technology (NIST) is putting in place new security guidelines for updating the BIOS. And in doing this, NIST is getting high-tech manufacturing to raise the bar on security.

"Last September, the first BIOS-based rootkit in the wild was discovered, called Mebromi," notes Andrew Regenscheid, math researcher and project leader in NIST's computer security division. While criminals creating malware have spent far more time over the years targeting Windows applications and operating systems (OS), the potential for wreaking serious havoc by subverting the BIOS, which typically works to do jobs such as load the OS, is of growing concern.

IN THE NEWS: New NIST encryption guidelines may force fed agencies to replace old websites

So through new security guidelines that will influence what computers the federal government buys in the future, NIST is setting standards that require authentication of BIOS update mechanisms.

Just this week NIST put out for public comment its proposed federal standard, "BIOS Protection Guidelines for Servers," with comment sought through mid-September. The intent is to stop any cyberattack related to "unauthorized modification of BIOS firmware by malicious software."

The NIST document basically says government buyers of servers in the future -- whether these are basic servers, managed servers or blade servers -- will be checking to see if gear they are thinking of getting has any way to "authenticate BIOS update mechanism," "secure local update mechanisms," and if there's "firmware integrity protection" and "non-bypassability features."

Encryption-based digital signatures and public-key certificates, among other techniques, are viewed as means of creating these security controls, but NIST isn't dictating specific processes, according to Regenscheid.

He says the concern is that manufacturers haven't uniformly applied strong security controls over BIOS in the past. This may be because BIOS updates tend to occur far less often than other kinds of computer software updates. But with the malware threat growing, it's time to focus on the BIOS, Regenscheid points out.

NIST already issued BIOS security standards for desktops and laptops in April 2011, and the Department of Homeland Security has told federal agencies to use them as a basis for purchasing laptops and desktops, starting this October. The U.S. Department of Defense has issued similar instructions, says Regenscheid. Manufacturers are aware of NIST's direction in all this and are responding. "Microsoft Windows 8 has BIOS protection for the desktop," he points out.

Security for server BIOS may be more complicated and call for support from OEM manufacturers such as Dell, HP and Lenovo. "We're proposing a tightly controlled update process," says Regenscheid. Proposed standards from NIST typically are approved and take effect within six months.

At that point, the "BIOS Protection Guidelines for Servers" will be a federal standard that is likely to also impact what the government acquires, just as the client BIOS security standard did. One question: Since the federal government is increasingly involved in buying cloud-based services, should cloud providers be asked to support secure BIOS? Regenscheid says that's something that surely will be brought up in discussions by people in government who write procurement requirements.

Another question is whether NIST will address this BIOS issue in regard to newer mobile devices, such as tablets from Apple or Google manufacturers, that the federal government is increasingly interested in using. Regenscheid acknowledges NIST is taking a hard look at this, as well as planning several new security standards related to mobile that will be unveiled in the course of the next year.

But NIST isn't tackling these issues by directly changing Android code, for example. Instead, NIST is quietly communicating the federal government's ideas directly to the high-tech manufacturers in the mobile world. "We're reaching out to Google and Apple and Microsoft and talking to them about features we'd like to see," says Regenscheid.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?