BIOS And pyhsical security

[TruvisT]

So here is a question.

I started reading up on some papers from NIST about security that were recently updated and was wondering if anyone else here locks down their BIOS or takes any other security measures as far as physical based security or do people generally just focus on the software side?

 

[raindog308]

Datacenter or desktop?

For datacenter, my employer owns the DC and just worries about physical and access security.  No one gets into the DC who isn't a pretty small subset of employees/contractors.  We don't lock down BIOS but there is a lot of encryption on our systems because of contractual agreements (i.e., our customers who insist on encrypted data in transit/data at rest, regulatory stuff about PII, etc.)  It'd be a pretty extraordinary event for someone to get into the DC, unrack a server (or a SAN and take it away.  A bigger risk is a disgruntled employee who brings a portable hard drive to work (or runs some sort of destructive program).

For stuff we have in public DCs, we tend to encrypt but not BIOS lock.  If someone steals the hardware (again, a pretty extraordinary event even though we're trusting someone else's physical security), they can get around any BIOS lock anyway...we're only interested that they don't get the data.  And of course, encrypt network.

For desktop, we encrypt laptops and do the basic stuff for mobile but that's it.  Our cloud exposure is greater - a lot of our stuff is off in cloud land (AWS, Office 365, Azure, etc.) so that's by definition accessible from anywhere.  No theft needed.

 

A friend works for the IRS.  They do the whole bit at the desktop - BIOS is locked down with administrator password, chassis intrusion, any insert of USB sends an alert to IT, very locked down in terms of rights, etc.

 

[Munzy]

BIOS passwords can be reset quite easily, usually there is a jumper on the mother board, or simply draining the power from the system will do. 

 

[MCH-Phil]

In all the businesses I've worked with, we've only cared about data security.  BIOS lockdowns were not needed.  USB, I won't comment on.  Disable autorun, be done.  Worry about firmware hacks?  Meh good luck.  If it's happened/happening, you are already screwed.

I deal with the state very regularly as far as IT goes.  One of the biggest rules I have is no local data.  Do not store anything.  No one likes when a shop is broken into and someone steals a PC with car titles or SSN's etc etc involved.  

What's to say I don't just steal your hard drives and place them in my system?  Don't forget, most dells and other name brand PC's have single access codes.  Wait until someone figures out the algorithm to calculate those.  It happens

 

[raindog308]

In all the businesses I've worked with, we've only cared about data security.  BIOS lockdowns were not needed.  USB, I won't comment on.  Disable autorun, be done.  Worry about firmware hacks?  Meh good luck.  If it's happened/happening, you are already screwed.

It kind of depends on what you want regarding USB.  In some environments, the motivation is less about antivirus and more about stopping an avenue of data theft. Not saying that disabling USB is going to completely accomplish that but it's more about stopping the average user rather than the elite hacker.

 

[D. Strout]

It's always been my understanding that once someone gets physical access to your machine, all bets are off in terms of security. Even if the person has limited technical ability, they can ruin things with a sledgehammer. If they're more technically inclined, as others have mentioned, BIOS stuff is easy to bypass. Or just open up the machine, pull the hard drive, and plug it in elsewhere. A physical lock holding the machine closed? Give me a break - if they've made it past your DC's security, they have a boltcutter.

Do the basics in terms of physical security (like, check that the DC does a good job of it), then spend your effort on remote security. That's a lot easier.