Posts Tagged ‘threat’

Don’t Forget the BIOS!

Friday, September 19th, 2008

Jeff McGough, Damballa’s VP of Operations, gave some sage advice in his post titled, “So you have a compromised asset….” His claim, “Nothing about this asset can be trusted,” may be more of a mouthful than even he realizes. Damballa has seen first-hand that some forms of malware will attack and compromise a computer’s Basic Input/Output System (BIOS). A comprehensive incident response program should include mandatory BIOS reinstall from a known good BIOS image for all compromised systems.

I’m going to go a step further and say something that may make you think I’m off my rocker entirely: for the ultra-paranoid tin-foil hat types, you really should consider complete physical destruction of the entire system. I’ve heard that in certain government agencies, this actually is their policy.

Insanity you say? Perhaps, but consider the following:

  • There have been cases of large batches of hard drives manufactured overseas being shipped with compromising malware pre-installed on them (http://blogs.zdnet.com/hardware/?p=928). In this case, it wasn’t compromised firmware, but incidents like this clearly illustrate a quality assurance failure that opens the door for compromise at every link in the supply chain.
  • Users with (and often without) local administrator rights can download and apply firmware updates for dozens of system components, including wired and wireless networking, audio, and video cards. If local users have this level of access, attackers with access to a compromised operating system have had the opportunity as well.

As Jeff says, truly nothing about the asset can be trusted.

Comprehensive enterprise security programs need to cover the entire asset lifecycle from acquisition through disposal. They also need to include participation from all levels of the supply chain. If you aren’t sure you have clean BIOS and firmware images for all system components, press your vendors to provide them to you for independent verification and your use in internal system preparation.

If installation of these images isn’t part of your acquisition process, you are already at-risk. If reinstallation of these clean images isn’t part of your incident response host remediation process, your process is incomplete.

As Jeff noted, enterprises that take compromise response programs seriously are probably best off in the long run by developing highly efficient processes for complete system re-imaging. Unfortunately, that means the BIOS and firmware too.

If you have performed a business case assessment of the cost of a scalable re-imaging program versus manual processes for forensic response, we’d love to hear your thoughts.

- Tripp Cox, Damballa VP of Engineering

Tags: , , , , , ,
Posted in Threat Research | No Comments »

Shouldn’t we be listening?

Wednesday, September 10th, 2008

I’ve noticed the following trend in network configuration: networks that do not have default routing and DNS resolution to the Internet for internal hosts. While I can somewhat understand this method of network configuration, it does reduce Internet functionality, and without using a proxy of some type, you do not get to the Internet. Does this increase your Internet security posture, or is it blinding you to the real threat that may still exist while also reducing functionality?

My thought is those using this method are saying to the Internet, “La la la, I can’t hear you” all the while the Internet is merrily chatting away. Just because you are not listening, does not mean things are not being done.

It is important to point out that several BotArmies are proxy aware. With today’s mobile workforce, assets are readily leaving the network (doing God knows what), and then reconnecting, and home users/telecommuters are using VPNs to access corporate assets. Given that, shouldn’t we be listening and paying attention?

- Jeff McGough, Damballa VP of Operations

Tags: , , , ,
Posted in Threat Research | No Comments »