Protecting computers at start-up: New NIST guidelines

December 21, 2011

A new draft computer security publication from the National Institute of Standards and Technology (NIST) provides guidance for vendors and security professionals as they work to protect personal computers as they start up.

The first software that runs when a computer is turned on is the "Basic Input/Output System" (BIOS). This fundamental system software initializes the hardware before the operating system starts. Since it works at such a low level, before other security protections are in place, unauthorized changes--malicious or accidental--to the BIOS can cause a significant security threat.

"Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization's systems or disrupt their operations," said Andrew Regenscheid, one of the authors of BIOS Integrity Measurement Guidelines (NIST Special Publication 800-155). In September, 2011, a security company discovered the first malware designed to infect the BIOS, called Mebromi.* "We believe this is an emerging threat area," said Regenscheid. These developments underscore the importance of detecting changes to the BIOS code and configurations, and why monitoring BIOS integrity is an important element of security.

SP 800-155 explains the fundamentals of BIOS integrity measurement--a way to determine if the BIOS has been modified--and how to report any changes. The publication provides detailed guidelines to hardware and software vendors that develop products that can support secure BIOS integrity measurement mechanisms. It may also be of interest to organizations that are developing deployment strategies for these technologies.
-end-
This publication is the second in a series of BIOS documents. BIOS Protection Guidelines (NIST SP 800-147) was issued in April, 2011.** It provides guidelines for computer manufacturers to build in features to secure the BIOS against unauthorized modifications. The detection mechanisms in SP 800-155 complement the protection mechanisms outlined in SP 800-147 to provide greater assurance of the security of the BIOS.

NIST requests comments on draft SP 800-155 by January 20, 2012. Copies of the publication can be downloaded from http://csrc.nist.gov/publications/drafts/800-155/draft-SP800-155_Dec2011.pdf.

Please submit comments to 800-155comments@nist.gov with "Comment SP 800-155 in the subject line.

* Information on Mebromi: http://www.symantec.com/security_response/writeup.jsp?docid=2011-090609-4557-99

** See the May 10, 2011, Tech Beat article "Build Safety into the Very Beginning of the Computer System" at http://www.nist.gov/public_affairs/tech-beat/tb20110510.cfm#bios.

National Institute of Standards and Technology (NIST)

Related Software Articles from Brightsurf:

Novel software assesses phonologial awareness
Understanding sounds in language is a critical building block for child literacy, yet this skill is often overlooked.

Software of autonomous driving systems
Researchers at TU Graz and AVL focus on software systems of autonomous driving systems.

New software supports decision-making for breeding
Researchers at the University of Göttingen have developed an innovative software program for the simulation of breeding programmes.

Software updates slowing you down?
We've all shared the frustration -- software updates that are intended to make our applications run faster inadvertently end up doing just the opposite.

Where is George? Ask this software to look at the crowd
Idtracker.ai is a mix of conventional algorithms and artificial intelligence developed at the Champalimaud Centre for the Unknown.

Research finds serious problems with forensic software
New research finds significant flaws in recently released forensic software designed to assess the age of individuals based on their skeletal remains.

Beta of Neurodata Without Borders software now available
Neuroscientists can now explore a beta version of the new Neurodata Without Borders: Neurophysiology (NWB:N 2.0) software and offer input to developers before it is fully released next year.

New software speeds origami structure designs
Researchers at Georgia Institute of Technology have developed a new computer-aided approach that streamlines the design process for origami-based structures, making it easier for engineers and scientists to conceptualize new ideas graphically while simultaneously generating the underlying mathematical data needed to build the structure in the real world.

International competition benchmarks metagenomics software
Communities of bacteria live everywhere: inside our bodies, on our bodies and all around us.

Preventing software from causing injury
Workplace injuries don't just come from lifting heavy things or falling off a ladder.

Read More: Software News and Software Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.