Intel and PC makers offer a number of ways to protect the computer BIOS, but all of these protections reside within the computer itself. Now Dell is offering a way to protect the BIOS from attacks by verifying it without relying on the integrity of the PC.
Dell's BIOS verification method involves comparing the BIOS image against the official hash generated and stored on Dell's servers. By conducting the test in Dell's cloud, and not in the device itself, Dell promises greater assurance that the postboot image is not compromised.
The BIOS verification technology "gives IT the assurance that employees' systems are secure every time they use the device," said Brett Hansen, executive director of data security solutions at Dell.
The new functionality is available for commercial PCs with a 6th-generation Intel chip set and a Dell Data Protection | Endpoint Security Suite Enterprise license, which includes Latitude, Dell Precision, OptiPlex, and XPS PCs. The technology would also be available for Dell Venue Pro tablets.
Attacks against the BIOS are typically hard to detect because they execute before the operating system and other security software loads. Dell is not the first to try to protect the BIOS from malicious code. HP, for example, includes secure boot tools in its line of business PCs.
On the processor side, Intel has baked a number of security features in its latest chip sets. Intel Platform Protection Technology with BIOS Guard offers hardware-assisted authentication and protection against BIOS recovery attacks, and Intel Platform Protection Technology with Boot Guard uses authenticated code module-based secure boot to verify that the BIOS is known and trusted before letting the machine boot. Intel's system management tools let administrators remotely start a PC, fix the boot layer, and shut down the PC again.
Microsoft offers SecureBoot in Windows, which uses the Trusted Platform Module to check the signature of each piece of boot software, including firmware drivers and the operating system, before letting the PC boot.
The idea is to prevent malware from loading onto the PC. Dell takes a different approach from other companies as it removes the local host from the verification process entirely, said Hansen. The hashing and comparison of the BIOS against a trusted image is not performed in real time and does not rely on a copy of the BIOS stored locally. Instead, Dell computers with the Endpoint Suite and the BIOS verification technology will compare the SHA256 hash of the BIOS against the known good version created by Dell and stored on the servers belonging to Dell BIOS Lab. If there is an issue, Dell alerts the IT administrator.
Unlike SecureBoot, Dell's BIOS verification technology does not actually stop the device from booting, nor does it alert the user. Instead of interfering with the device operation or the user, Dell's technology notifies administrators of the issue and leaves it up to IT on what to do next.
Many enterprises focus their efforts to detect and protect against advanced persistent threats and other targeted attacks on the network layer, but that doesn't mean the endpoint doesn't need its own defenses. A defense-in-depth approach means having multiple layers of protection in place to detect attacks like spear phishing and ransomware. Dell has focused its latest efforts on beefing up the built-in protections available on its business PCs.
For example, Dell integrated Cylance's artificial intelligence and machine learning technology into Dell Data Protection | Endpoint Security Suite back in November to protect PCs from code execution attacks as part of advanced persistent threats and malware and ransomware infections. Since Cylance's technology relies on machine learning to identify attack code, it can detect both targeted and zero-day attacks. Dell Data Protection | Endpoint Security Suite gives IT a single source to manage comprehensive encryption, advanced authentication, and malware protection.
BIOS attacks are still not as widespread as other types of attacks, but it makes sense for endpoint security solutions to include the hardware alongside the software.