What lies beneath? - Tackling the threat of BIOS attacks
What lies beneath? - Tackling the threat of BIOS attacks

They say the best place to hide something is on the second page of Google. But for cyber-criminals, they're increasingly hiding their malware where most anti-virus can't find it – below the operating system. So how do businesses counter this type of attack and where else should they prioritise their protection to stay safe in an increasingly connected world? 

Cyber-criminals have always been known for moving the goalposts. As soon as we crack one specific type of attack, they move on to something else. But on the whole, we've been able to provide adequate protection to businesses by using tried and tested techniques. This usually includes a number of network- or server-level protection services that cover a multitude of cyber-sins. But there are some telling numbers that point to the fact that we have a tougher and faster evolving threat on our hands. 

Cyber-crime is now a £338 billion problem worldwide. That's a huge number, and it's showing no signs of slowing down. So even if you've managed to avoid being hit for a while, the chances are, there could be a breach on the horizon for your business. 

So, if we now have years of experience in monitoring and preventing cyber-attacks, why is the threat level increasing so quickly? Two reasons. Firstly, the type of attack is shifting in unprecedented ways that is bringing new entrants to the marketplace. Secondly, the sheer number of devices that are now in the hands of consumers and business users is causing CISOs to scramble to play catch up. 

Back to these moving goalposts. A growing threat that is concerning businesses today is BIOS attacks. This type of attack is particularly troublesome because it targets an often-unprotected area of computing – the area below the operating system. It means that even if your PC looks like Fort Knox once it has booted up in earnest, without the protection for the few seconds before, there's a huge vulnerability. Forsake the below-OS portion of your computer and you're essentially a sardine. Although the door is well and truly locked, the key is still on the outside ready to be used by anyone who knows where to find it. 

The vulnerabilities we're talking about here are those in Systems Management RAM, Systems Management Mode, and those parts of the BIOS handed over to the operating system after bootup. It's now a growing attack vector as the cyber-security industry has closed off most traditional routes.

After bootup, System Management Mode, which is part of the BIOS, is loaded into System Management RAM by the memory controller. This is designed to be inaccessible from the operating system and even the hypervisor levels. As most cyber-security software sits on or at the operating system level, malware injected into the BIOS before bootup and passed into the System Management Mode will be undetectable to endpoint cyber-security software. If an attacker can replace or update the BIOS with his or her own personally customised version, they can operate “under the radar” almost indefinitely.

In terms of protecting against this type of attack, the advice to 'secure below the operating system' doesn't represent the full scale of security needed. It is true that too many businesses don't do enough to identify threats in this vital area but to truly be effective at conquering the problem, endpoints should also be able to self-heal. Taking out the manpower in this way makes for a more reliable solution that is quick and takes place automatically. It's an approach that at HP we call cyber-resilience. 

We secure our devices using a solution called SureStart. It creates a “gold master” of the BIOS that is directly encrypted on the device. If an attacker tries to hack the BIOS, our machine will reboot itself, load the secure “gold master”, wipe the infected file, and alert the IT team to the attack. The HP machine has healed itself.

But it's not just the growing threat of BIOS attacks that businesses need to concern themselves with. At the dawning of this new age of the internet of things, the onset of fileless malware injection or memory level attack provides the cyber-criminal with another way into and out of organisations. Having a “no hard disks” policy is futile in the face of this new and evolving threat. The malware simply needs memory and a microprocessor. An unmonitored or unprotected printer, for example, can provide an ideal hiding place for memory resident malware in your organisation. A fleet of such unmonitored or unprotected printers can provide a massive attack platform from within your organisation.

Therefore it's key that companies look for PCs and printers that have in-built technology which protects, detects, and recovers the device from such a memory level attack. These failed attack events can then be simply reported through existing systems.

It's important then that a security stack covers every attack vector – below the OS, in the OS and above the OS. And security needs to cover all three dimensions of our digital world - the device, the data and the identity of the user. 

Now, more than ever, companies should be vigilant of all access points. Not just the traditional routes. Crooks are going off the beaten track, and they're taking an army of have-a-go hackers with them, who are buying hacking services online for next to nothing. We have to follow them, be prepared to react, and put measures in place for devices and networks to become more intelligent and resolve the problems on their own. 

Contributed by Paul McKiernan HP Print Security, Lead Adviser, EMEA

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.