Protecting computers at start-up: New NIST guidelines

Dec 21, 2011

A new draft computer security publication from the National Institute of Standards and Technology (NIST) provides guidance for vendors and security professionals as they work to protect personal computers as they start up.

The first software that runs when a computer is turned on is the "Basic Input/Output System" (). This fundamental system software initializes the hardware before the starts. Since it works at such a low level, before other protections are in place, unauthorized changes—malicious or accidental—to the BIOS can cause a significant security threat.

"Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization's systems or disrupt their operations," said Andrew Regenscheid, one of the authors of BIOS Integrity Measurement (NIST Special Publication 800-155). In September, 2011, a security company discovered the first malware designed to infect the BIOS, called Mebromi.* "We believe this is an emerging threat area," said Regenscheid. These developments underscore the importance of detecting changes to the BIOS code and configurations, and why monitoring BIOS integrity is an important element of security.

SP 800-155 explains the fundamentals of BIOS integrity measurement—a way to determine if the BIOS has been modified—and how to report any changes. The publication provides detailed guidelines to hardware and software vendors that develop products that can support secure BIOS integrity measurement mechanisms. It may also be of interest to organizations that are developing deployment strategies for these technologies.

This publication is the second in a series of BIOS documents. BIOS Protection Guidelines (NIST SP 800-147) was issued in April, 2011.** It provides guidelines for computer manufacturers to build in features to secure the BIOS against unauthorized modifications. The detection mechanisms in SP 800-155 complement the protection mechanisms outlined in SP 800-147 to provide greater assurance of the security of the BIOS.

NIST requests comments on draft SP 800-155 by January 20, 2012. Copies of the publication can be downloaded from http://csrc.nist.gov/publications/drafts/800-155/draft-SP800-155_Dec2011.pdf . Please submit comments to 800-155comments[at]nist.gov with "Comment SP 800-155 in the subject line.

Explore further: 'Draw me a picture,' say scientists: Computer may respond

More information: * Information on Mebromi: www.symantec.com/security_resp… =2011-090609-4557-99
** See the May 10, 2011, Tech Beat article "Build Safety into the Very Beginning of the Computer System" at www.nist.gov/public_affairs/te… /tb20110510.cfm#bios

add to favorites email to friend print save as pdf

Related Stories

Build safety into the very beginning of the computer system

Apr 29, 2011

A new publication from the National Institute of Standards and Technology (NIST) provides guidelines to secure the earliest stages of the computer boot process. Commonly known as the Basic Input/Output System (BIOS), this ...

PC BIOS soon to be replaced by UEFI

Oct 02, 2010

(PhysOrg.com) -- The 25 year old PC BIOS will soon be replaced by UEFI (unified extensible firmware interface) that will enable PC's to boot up in a matter of seconds. In 2011 we will start seeing UEFI dominate ...

Wake-up call: Draft security pub looks at cell phones, PDAs

Jul 10, 2008

In recent years cell phones and PDAs—"Personal Digital Assistants"—have exploded in power, performance and features. They now often boast expanded memory, cameras, Global Positioning System receivers and the ability to ...

New publication offers security tips for WiMAX networks

Oct 07, 2009

Government agencies and other organizations planning to use WiMAX -- Worldwide Interoperability for Microwave Access—networks can get technical advice on improving the security of their systems from a draft computer security ...

Recommended for you

Cloud computing helps make sense of cloud forests

18 hours ago

The forests that surround Campos do Jordao are among the foggiest places on Earth. With a canopy shrouded in mist much of time, these are the renowned cloud forests of the Brazilian state of São Paulo. It is here that researchers ...

Teaching robots to see

Dec 15, 2014

Syed Saud Naqvi, a PhD student from Pakistan, is working on an algorithm to help computer programmes and robots to view static images in a way that is closer to how humans see.

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

kevinrtrs
2 / 5 (3) Dec 21, 2011
The first step would be to make the BIOS read-only, I'd imagine.
Not many people perform updates on their bios anyway and in any case manufacturers would rather have you buy a new pc than upgrade your bios firmware. Would be tough if there's a buggy version that needs to be replaced in your new PC though.
Mike_Syzygy
not rated yet Dec 21, 2011
Wouldn't having a password on your bios serve to prevent any write-access without that password being entered first?
Argiod
1 / 5 (1) Dec 21, 2011
We could make the BIOS chips read-only and do what we did back in the early days; when the BIOS has been updated, we went out and bought a new BIOS chip and replaced the old one. It was inexpensive, and secure. For better security I would not mind a few extra dollars for a new BIOS chip. It would certainly be better than the hundreds I spend on a/v software now, and I STILL GET HACKED on occasion, with viruses that turn off the a/v programs. I also like the notion of hard drives that automatically encrypt their contents in the background. I don't mind memorizing a few passwords, or keeping a list on my person.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.