Security first: New NIST guidelines on securing BIOS for servers

Aug 22, 2012
Credit: ©Amy Walters/Shutterstock

The National Institute of Standards and Technology (NIST) is requesting comments on new draft guidelines for securing BIOS systems for server computers. BIOS—Basic Input/output System—is the first major software that runs when a computer starts up. Both obscure and fundamental, the BIOS has become a target for hackers.

Server manufacturers routinely update to fix bugs, patch vulnerabilities or support new hardware. However, while authorized updates to BIOS can improve functionality or security, unauthorized or malicious changes could be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization's systems or disrupt their operations. BIOS attacks are an emerging threat area. In September, 2011, a security company discovered the first malware designed to infect the BIOS, called Mebromi.*

An important mechanism for protecting BIOS in servers is to secure the BIOS update process, guarding against unauthorized BIOS updates. NIST's 2011 publication on BIOS security** provided instructions for protecting BIOS in desktops and laptops. The guidelines focused on the core principles of authenticating updates using digital signatures, BIOS integrity protection and "non-bypassibility" features that ensure that no mechanisms circumvent the BIOS protections.

BIOS Protection Guidelines for Servers addresses BIOS security in the varied architectures used by servers. "While laptop and desktop computers have largely converged on a single architecture for system BIOS, server class systems have a more diverse set of architectures, and more mechanisms for updating or modifying the system BIOS," says author Andrew Regenscheid. In addition, many servers contain service processors that perform a variety of management functions that may include BIOS updates, and this document provides additional security guidelines for service processors.

Servers require more flexibility, according to Regenscheid, because in addition to having different architectures, they are almost always managed remotely. BIOS Protection Guidelines for Servers is written for server developers and information system security professionals responsible for server security, secure boot processes and hardware modules. The draft publication BIOS Protections for , (NIST Special Publication 800-147B), is available at http://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdf .

Explore further: Google releases work tools designed for Android phones

More information: NIST requests comments on this draft by Sept. 14, 2012. Please email all comments to 800-147comments@nist.gov.

* Information on Mebromi: www.symantec.com/security_resp… =2011-090609-4557-99
** D.A. Cooper, W.T. Polk, A.R. Regenscheid and M.P. Souppaya. BIOS Protection Guidelines (NIST SP 800-147) is available at www.nist.gov/manuscript-public… ch.cfm?pub_id=908423

add to favorites email to friend print save as pdf

Related Stories

Protecting computers at start-up: New NIST guidelines

Dec 21, 2011

A new draft computer security publication from the National Institute of Standards and Technology (NIST) provides guidance for vendors and security professionals as they work to protect personal computers as they start up.

Build safety into the very beginning of the computer system

Apr 29, 2011

A new publication from the National Institute of Standards and Technology (NIST) provides guidelines to secure the earliest stages of the computer boot process. Commonly known as the Basic Input/Output System (BIOS), this ...

PC BIOS soon to be replaced by UEFI

Oct 02, 2010

(PhysOrg.com) -- The 25 year old PC BIOS will soon be replaced by UEFI (unified extensible firmware interface) that will enable PC's to boot up in a matter of seconds. In 2011 we will start seeing UEFI dominate ...

Malware in BIOS stirs concern at Black Hat meet

Aug 02, 2012

(Phys.org) -- Security researcher Jonathan Brossard has drawn attention to a backdoor espionage problem that is in an ornery class by itself. Presenting his finds at the recent Defcon and Black Hat events, ...

How to Protect Your Web Server from Attacks

Oct 11, 2007

The National Institute of Standards and Technology has released a new publication that provides detailed tips on how to make web servers more resistant to potential attacks. Called “Guidelines on Securing Public Web Servers,” ...

Recommended for you

High-precision radar for the steel industry

just added

Steel is the most important material in vehicle and machinery construction. Large quantities of offcuts and scraps are left over from rolling and milling crude steel into strip steel. New radar from Fraunhofer ...

'Slow motion at the speed of light'

29 minutes ago

New technology developed by a collaboration between the UA and the University of California, Los Angeles, provides real-time monitoring of streaming video to optimize network traffic.

Virtual vehicle testing – modeling tires realistically

30 minutes ago

Manufacturers conduct virtual tests on vehicle designs long before the first car rolls off the assembly line. Simulation of the tires has remained a challenge, however. The software tool "CDTire/3D" from ...

Dutch chipmaker NXP to buy Freescale Semiconductor for $12B

5 hours ago

Dutch chipmaker NXP Semiconductors N.V. said Sunday it had agreed to buy its smaller rival Freescale Semiconductor Ltd. for $11.8 billion in a deal that will make it the biggest supplier of microchips to the automotive industry.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.