A comprehensive IT security program already includes a wide range of concerns, from physical access to buildings and machines to proper user provisioning and deprovisioning to compliance reporting. Organizations also focus a great deal of attention on securing their networks and servers.
But what about endpoint protection? It’s time to broaden the security umbrella to address the increasingly important role hardware now plays in security. Specifically, the PCs, laptops, smartphones, USB devices and other devices essential to your business need protection now more than ever.
Firmware is Everywhere, and it’s Vulnerable
Firmware is a combination of software and hardware — software programmed into read-only memory. Firmware is an essential part of many computer components: USB keyboards, graphics and sound cards, web cams, and even computer batteries. However, most firmware is not designed to be secure. For example, most hardware vendors don’t cryptographically sign the firmware embedded in their systems; in fact, most devices don’t even include the authentication features required to recognize digital signatures.
Because firmware is both critical to computer function and vulnerable, it is a prime target for attackers. For example, one security researcher showed how he could hijack the batteries in Apple devices by discovering the default passwords used in their chips, enabling him to commandeer or even brick the device. Other researchers were able to hide malware called BadUSB in the firmware of USB devices that would enable them to hijack a computer, alter files or redirect a user’s internet traffic to a malicious site. Similarly, by planting BadUSB on a smartphone or another device with an internet connection, a hacker could spy on communications.
A Special Case: BIOS and UEFI
One type of firmware merits particular attention — the firmware used to perform hardware initialization during the booting process on PCs. For years, BIOS was the de facto standard; beginning with Windows 8, BIOS has been replaced by UEFI. Since the BIOS or UEFI is the first software PCs run when they are powered on, it operates below antivirus and other security products and therefore is not usually scanned by them. Attackers can plant malware that changes the actions performed by the firmware, putting the system as risk of problems ranging from data theft to bricking (the inability to boot at all). Moreover, the malware can remain live and undetected even if the computer's operating system is wiped and reinstalled.
Intel Security reports that 37 unique vulnerabilities of BIOS and UEFI firmware were publicly disclosed in the last two years, many of which affect multiple vendors. For example, a recent PCWorld article explains how several new attacks can disable the UFI security feature Secure Boot and brick a PC. Antivirus vendor McAfee reported in 2013 that the number of malware threats designed to infect a computer's master boot record (MBR) had reached a record high.
Protecting Against Hardware Attacks
Although hardware and firmware attacks can be difficult to discover and even harder to prevent, there are steps you can take to help protect your organization:
- Don’t plug untrusted USB devices into your computer. Don’t rely on a clean bill of health from your antivirus program or even your IT department; throw away any device that has touched a non-trusted computer.
- Buy hardware with built-in protections against malicious firmware changes, such as checking routines that will deny or roll back any unapproved changes.
- Upgrade all firmware to the latest version, and include firmware updates in your regular security patch management.
- Use Microsoft's BitLocker with the TPM (Trusted Platform Module) chip enabled or another drive encryption program that checks the integrity of firmware and alerts you to (or even prevents) unexpected modifications.
Protecting Your Devices with Microsoft Device Guard
With Windows 10, Microsoft offers another valuable tool for improving hardware security: Device Guard. Device Guard is a combination of hardware and software security features that can be configured to lock down a device so that it can run only trusted applications.
According to TechNet, “Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.”
Because Device Guard is walled off from the computer's hardware, it cannot be tampered with by other software, no matter how low level that software is. Even if the Windows 10 kernel is compromised, a hypervisor running beneath the kernel and Device Guard keeps Device Guard walled off, ensuring that it cannot be subverted into allowing unauthorized code to run.
To use Device Guard in your organization, you must set up your environment properly. In particular, you must have hardware certified as Device Guard-capable or Device Guard-ready; ensure your applications are digitally signed by a trusted party; and create a Code Integrity policy using tools provided by Microsoft and deploy it using a management tool such as Group Policy.
To learn more about endpoint security, register for an on-demand webcast, “12 Security Controls for Workstations,” hosted by Windows security guru and Microsoft MVP Randy Franklin Smith.