Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

NIST Protects BIOS With New Security Guidelines

The standards body provides ways to detect changes to the code or configuration of a PC's startup system.

Government Innovators
Slideshow: Government Innovators
(clickimage for larger view and for full slideshow)
The organization that sets federal technology standards has provided new security guidelines for protecting the system that starts up PCs.

The National Institute for Standards and Technology (NIST) is accepting comments on new guidelines to lock down a computer's Basic Input/Output System (BIOS), which--because it is a very basic, low-level function--can cause a significant security threat if unauthorized changes are made to it, according to NIST.

The document, BIOS Integrity Measurement Guidelines, provides “integrity measurement mechanisms” that have two aims, according to NIST. One is to detect changes to the BIOS code that could allow malicious software to run during a PC's boot process, and the other is to detect changes to the configuration of the system.

The document provides several use-case scenarios associated with BIOS functions that inform the security recommendations presented in the document.

The uses cases include installing and/or verifying the correct BIOS revision for a given client; imaging the BIOS with appropriate settings; setting BIOS passwords; asserting security controls requiring physical presence, including a PC's Trusted Platform Module; and registering the endpoint identity and integrity metrics in the pertinent IT databases, according to the document.

[The National Institute for Standards and Technology also has been busy building a cloud roadmap for government. See NIST Releases Federal Cloud Roadmap, Architecture.]

The guidelines--the second in a series aimed at locking down a PC's startup system--are aimed at hardware and software vendors developing products to support BIOS integrity measurement mechanisms, as well as organizations developing these types of security technologies, according to NIST.

The standards organization published the first in its series of BIOS security guidelines in April. That document, BIOS Protection Guidelines, provided ways for computer manufacturers to build security features directly into the BIOS to prevent unauthorized modifications.

Those interested have until Jan. 20, 2012 to comment on the most recent BIOS guidelines, NIST said.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19631
PUBLISHED: 2020-01-24
An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. A read-only user can ac...
CVE-2020-5219
PUBLISHED: 2020-01-24
Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the appli...
CVE-2019-18900
PUBLISHED: 2020-01-24
: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions p...
CVE-2020-7226
PUBLISHED: 2020-01-24
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data...
CVE-2012-6302
PUBLISHED: 2020-01-24
Soapbox through 0.3.1: Sandbox bypass - runs a second instance of Soapbox within a sandboxed Soapbox.