This year’s pandemic has cast a harsh light on the difficulty of securing endpoints, particularly those that aren’t connected to the corporate network. Working without the insulation of the corporate firewall limits IT from auditing and controlling devices at the granular level needed, in many cases leaving it to users to secure their own desktops.
Users who don’t have their ear to the ground about the latest developments in cybersecurity may be lulled into believing that the anti-malware technology that comes bundled into their PCs is sufficient protection. But there are threats that even advanced software defense techniques, like isolating processes in virtual machines, can’t detect, much less combat.
More Than Software
That’s because not all security threats are in software. The past two years has seen a surge of attacks on the basic I/O system (BIOS) and its successor, the Unified Extensible Firmware Interface (UEFI), which are part of every device. The BIOS contains instructions about the basic hardware functions of the computer, such as where to boot the operating system and what clock speed to use, as well as numerous low-level functions that enable smooth operation. Both BIOS and UEFI are embedded in firmware that is physically attached to the motherboard. Changes at that level can’t be detected by software; they must be monitored by other hardware components.
An attacker who compromises the BIOS or UEFI can do all sorts of damage, including disabling secure booting, wiping out data, installing backdoor security holes and holding the machine hostage for ransom. With 300 settings in the typical BIOS, there are plenty of options for creating chaos.
Ironically, one of the reasons BIOS attacks are surging today is because of measures PC makers took several years back to improve security. BIOS instructions used to be immutably coded into hardware at the factory, but that created barriers to applying security patches and other updates. In recent years, PC makers have shifted to updatable BIOS in firmware or flash memory, making it easier to patch but also easier to compromise.
BIOS attacks are nasty because they’re extremely difficult to detect and almost impossible to remediate. In some cases, the only solution is to physically remove the affected chips from the motherboard.
Three Levels of Additional Protection
Intel’s vPro® platform processors provide security at three levels that complement software-based protections.
Intel® Hardware Shield helps to prevent BIOS attacks. Each vPro platform-based system ships with an image of the factory BIOS in a location where it can’t be reached by the operating system. Upon boot, Hardware Shield checks the status of the BIOS and compares it with the secure image, verifying serial number and installed components. If an anomaly is detected, the boot sequence is halted and the user alerted to a problem. Hardware Shield can’t prevent the BIOS from being changed, but it can prevent an annoyance from becoming a catastrophe.
Accelerated Memory Scanning (AMS) is an extra layer of protection on top of the encryption Intel automatically applies to data in memory. Built upon a machine learning base, AMS resides not on the CPU but on a graphics processing unit (GPU), thereby minimizing the impact on performance. Deep learning algorithms observe and quickly learn the memory characteristics of the computer and then continually apply heuristics to look for abnormal activity. Offloading scanning to a GPU also all but eliminates the possibility that an attacker could alter instructions in the CPU to prevent software running on the CPU program from seeing it.
A third level of protection isn’t about protecting the computer in the customer’s location but rather at every stage prior to that. The early days of the COVID-19 pandemic highlighted many industries’ lack of visibility into their supply chains. That’s a security risk because bad actors who can insert themselves into any part of the chain, including subcomponent assembly and transportation, can potentially compromise the product.
Intel’s Transparent Supply Chain is a set of tools, policies and procedures implemented at the factory-floor level by PC and server makers to enable enterprises to verify the authenticity and firmware version of systems and their components. It includes a digitally signed statement of conformance attesting to the authenticity of every platform; certificates linked to the discrete Trusted Platform Module encryption hardware for system-level traceability; and component-level traceability of all integrated components, including processor, storage, memory and add-in cards. Lenovo has already signed on to the initiative and others are expected to soon follow.
Craftier foes demand innovative defenses. Even the best malware detection software can’t detect all attacks that target underlying hardware. Choosing a solution like the Intel vPro platform fights fire with fire.