The National Institute of Standards and Technology (NIST) has just released a new draft computer security publication that provides guidance for vendors, as well as security professionals, while they work on protecting personal computers as they start up. Computer safety is becoming an increasing priority around the world as “hacktivist” groups like Anonymous are becoming ever more persistent in their hacking campaigns.
The first software that starts to run when your computer is booted up is the “Basic Input/Output System” (BIOS). This is a fundamental system software that initializes the hardware before your chosen operating system begins. The BIOS of your computer works at an extremely low level and, as a result, can cause a significant threat to your computer’s security.
According to one of the authors of BIOS Integrity Measurement Guidelines (NIST Special Publication 800-155) Andrew Regenscheid, “Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. We believe this is an emerging threat area and that these developments underscore the importance of detecting changes to the BIOS code and configurations, and why monitoring BIOS integrity is an important element of security.”
BIOS Integrity Measurement Guidelines is the second publication in a series of BIOS documents from NIST. BIOS Protection Guidelines (NIST Special Publication 800-147) was released back in April of 2011 and provides guidelines for computer manufacturers to build in features to secure the BIOS against unauthorized modifications.
The detection mechanisms in BIOS Integrity Measurement Guidelines compliment these protection mechanisms outlined in BIOS Protection Guidelines in order to provide greater assurance of the security of the BIOS. It is easy to overlook threats to things like the BIOS of your computer as many people don’t recognize this as being vulnerable. BIOS Integrity Measurement Guidelines from NIST should help though.
Source: EurekAlert – Protecting computers at start-up: New NIST guidelines