Solution Briefs

NIST Compliance

October 28, 2019
Eclypsium defending the foundation of the enterprise introduction

Download the PDF >

INTRODUCTION

Firmware security is a key element of multiple important NIST documents, including SP 800-37 (the Risk Management Framework), SP 800-53 (Security and Privacy Controls), SP 800-147 (BIOS Protection Guidelines), 800-155 (BIOS Integrity Measurement) and 800-193 (Platform Resiliency Guidelines). At a high level, SP 800-37 establishes a lifecycle approach that guides the creation and ongoing administration of a security program. SP 800-53 then provides additional details on the types of controls that may be implemented and considerations for each. Both documents identify firmware as a critical part of the security program and consistently use the phrase “hardware, software, and firmware” when describing the components of technology and devices to be protected. In this brief we outline the NIST requirements that pertain to firmware security and provide guidance for organizations seeking to achieve compliance with these standards. 

UNDERSTANDING THE FIRMWARE ATTACK SURFACE

Eclypsium Guidance and Considerations: Perform an initial firmware vulnerability assessment of critical devices or assets. Eclypsium can automate the analysis of devices assessing risk and integrity. Firmware analysis should include system-level firmware such as BIOS or UEFI, but should also extend to firmware of hardware components within the system such as drives, processors, and network adapters. 

Scans should be able to identify the following:

Systems with out of date

Systems with firmware vulnerabilities

Systems with missing hardware protections

UNDERSTANDING DEVICE RISK AND IMPACT OF THREATS

Eclypsium Guidance and Considerations: Organizations may want to consider the impact of firmware-based threats to the following high-value devices during the categorization phase: 

High-Value Laptops: While all devices are potentially subject to attacks on their firmware, laptops are exposed more often than other assets. An attacker with physical access to a device can compromise the firmware in 5 minutes. Thus organizations may want to consider firmware security controls for devices that carry high-value information and/or travel to untrusted environments.


Critical Servers: Firmware provides an ideal path to both steal data or deny access to it altogether. This is particularly true of high-value servers. With the complexity and quantity of components (baseboard management controllers, network cards, system firmware, etc.) securing servers that have high privilege and contain critical assets, can be unmanageable.


Networking and Security Gear: Recent large-scale Russian attacks have shown that networking gear presents a particularly powerful prize for attackers. By subverting the network infrastructure, attackers could easily read, manipulate, or even redirect content on the network. Likewise the very network controls charged with securing the network could be targets of attack.

ControlReferenceEclypsium Recommendation
SI—System and Information IntegritySI-2 Flaw RemediationSI-4 Information System MonitoringSI-7 Software, Firmware, and Information IntegrityIn-the-wild implants (eg. HackingTeam, Lojax)Confirm firmware integrityIdentify insecure firmware and apply updatesEnsure that all firmware updates are cryptographically signed and that devices require any firmware updates to be signedMonitor devices for signs of malicious firmware behaviorAnalyze systems to ensure the integrity of the boot process and boot firmwareDetect firmware threats such as implants, backdoors, and rootkits
SA—System and Services AcquisitionSA-12 Supply Chain ProtectionSA-19 Component AuthenticitySupply chain interdictionsEvaluate prospective technology for firmware security and avoid products that can be easily modified at the firmware levelCheck all newly acquired devices to confirm the integrity of the firmwareMonitor devices for signs of malicious firmware behavior
CM—Configuration ManagementCM-2 Baseline ConfigurationCM-5 Access Restrictions for ChangeCM-7 Least FunctionalitySecure ConfigurationPLATINUM malware campaignRecord expected configuration and behavior of device firmware and hardwareActivate firmware and hardware security featuresAnalyze critical devices to ensure unnecessary features are disabled, particularly remote management interfaces that are not used
AC—Access ControlAC-6 Least PrivilegeFirmware Storage VulnerabilitiesEnsure any unnecessary debug functionality is not enabledEnsure firmware storage is properly protected
RA—Risk AssessmentRA-5 Vulnerability ScanningFirmware and hardware vulnerabilities (eg. Speculative execution side-channels, vulnerable firmware storage, insecure SMM code)Prioritize the analysis and monitoring of firmware and hardware vulnerabilitiesRegular scans should be able to identifySystems with out of date firmwareSystems with firmware vulnerabilitiesSystems with missing protections
IR—Incident ResponseIR-4 Incident HandlingIR-10 Security Analysis TeamAttackers using firmware implants to persist across system re-imaging.Perform firmware scans of devices related to incident to track scopeVerify integrity of firmware of all affected hosts during system recoveryArm staff with tools to assist in forensic analysis of firmware-based threats
MA—MaintenanceMA-3 Maintenance ToolsBMC, IPMI, and Intel AMT as potential attack vectorsMonitor management interfaces for vulnerabilities or signs of compromiseScan management resources for vulnerabilitiesOnly enable remote management tools for devices that have an operational need

CONCLUSION

This document highlights some of the areas where firmware security can play an important role in NIST compliance. Firmware security may have been overlooked in the past but with our work and others in the industry, this is changing. If you have any questions or concerns related to topics in this document, please contact the Eclypsium team at [email protected].

Back to Blog
Related Blogs
View all
Solution Briefs

Eclypsium Supply Chain Security for Government Agencies

Read more
Solution Briefs

Eclypsium Supply Chain Security for Enterprise Infrastructure

Read more
Zero Trust for Devices Establishing Chip Level Trust in Enterprise Endpoints
Solution Briefs

Zero Trust For Devices: Establishing Chip-Level Trust in Enterprise Endpoints

Read more
Solution Briefs

Zero Trust For Devices: Establishing Chip-Level Trust in Federal Agencies

Read more
© 2023 Eclypsium, Inc.