New BIOS security standards aimed at fighting rootkit attacks

NIST sets new security guidelines for updating firmware

There's a growing threat of attacks on computer basic input/output system (BIOS) firmware, and to deter it, the National Institute of Standards and Technology (NIST) is putting in place new security guidelines for updating the BIOS. And in doing this, NIST is getting high-tech manufacturing to raise the bar on security.

"Last September, the first BIOS-based rootkit in the wild was discovered, called Mebromi," notes Andrew Regenscheid, math researcher and project leader in NIST's computer security division. While criminals creating malware have spent far more time over the years targeting Windows applications and operating systems (OS), the potential for wreaking serious havoc by subverting the BIOS, which typically works to do jobs such as load the OS, is of growing concern.

IN THE NEWS: New NIST encryption guidelines may force fed agencies to replace old websites

So through new security guidelines that will influence what computers the federal government buys in the future, NIST is setting standards that require authentication of BIOS update mechanisms.

Just this week NIST put out for public comment its proposed federal standard, "BIOS Protection Guidelines for Servers," with comment sought through mid-September. The intent is to stop any cyberattack related to "unauthorized modification of BIOS firmware by malicious software."

The NIST document basically says government buyers of servers in the future -- whether these are basic servers, managed servers or blade servers -- will be checking to see if gear they are thinking of getting has any way to "authenticate BIOS update mechanism," "secure local update mechanisms," and if there's "firmware integrity protection" and "non-bypassability features."

Encryption-based digital signatures and public-key certificates, among other techniques, are viewed as means of creating these security controls, but NIST isn't dictating specific processes, according to Regenscheid.

He says the concern is that manufacturers haven't uniformly applied strong security controls over BIOS in the past. This may be because BIOS updates tend to occur far less often than other kinds of computer software updates. But with the malware threat growing, it's time to focus on the BIOS, Regenscheid points out.

NIST already issued BIOS security standards for desktops and laptops in April 2011, and the Department of Homeland Security has told federal agencies to use them as a basis for purchasing laptops and desktops, starting this October. The U.S. Department of Defense has issued similar instructions, says Regenscheid. Manufacturers are aware of NIST's direction in all this and are responding. "Microsoft Windows 8 has BIOS protection for the desktop," he points out.

Security for server BIOS may be more complicated and call for support from OEM manufacturers such as Dell, HP and Lenovo. "We're proposing a tightly controlled update process," says Regenscheid. Proposed standards from NIST typically are approved and take effect within six months.

At that point, the "BIOS Protection Guidelines for Servers" will be a federal standard that is likely to also impact what the government acquires, just as the client BIOS security standard did. One question: Since the federal government is increasingly involved in buying cloud-based services, should cloud providers be asked to support secure BIOS? Regenscheid says that's something that surely will be brought up in discussions by people in government who write procurement requirements.

Another question is whether NIST will address this BIOS issue in regard to newer mobile devices, such as tablets from Apple or Google manufacturers, that the federal government is increasingly interested in using. Regenscheid acknowledges NIST is taking a hard look at this, as well as planning several new security standards related to mobile that will be unveiled in the course of the next year.

But NIST isn't tackling these issues by directly changing Android code, for example. Instead, NIST is quietly communicating the federal government's ideas directly to the high-tech manufacturers in the mobile world. "We're reaching out to Google and Apple and Microsoft and talking to them about features we'd like to see," says Regenscheid.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place