Originally written by Richard Westlund
Device endpoints are often targeted by cyber criminals attempting to gain a foothold into an enterprise network. That’s why Dell Technologies has created an innovative portfolio of endpoint security solutions to turn a client desktop, workstation or notebook into a Dell Trusted Device.
These security features are usually not visible to an end user because they are provided by the BIOS (Basic Input/Output System) – the code responsible for device boot and other fundamental functions.
Having a basic understanding of these “below the OS” security features should help our Unified Workspace Community members speak with confidence when talking to team members, business leaders or senior management.
A recent whitepaper, “Client Solutions Dell Trusted Device: BIOS Security,” outlines how this strategy addresses the key functions defined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework: Identify, Protect, Detect, and Recover. Here is a summary of those features.
The identify function helps organizations manage their endpoint assets, as well as determine security risks and threat models. The Dell Trusted Device BIOS supports a Service Tag programmed into the BIOS NVRAM (non-volatile random access memory) during manufacturing and locked in place for the life of the device. This allows the organization and Dell to identify the device and confirm its information for service and warranty support.
An Asset Tag, also stored into BIOS NVRAM, can be set, changed, or cleared by an administrator to include tracking information, logistical messages, or unique branding.
Dell has also invested in threat modeling for Dell Trusted Device BIOS and firmware, as well as web applications and cloud architectures. Dell says this approach, combined with penetration testing, has led to significant improvements in finding and mitigating potential vulnerabilities in BIOS, firmware and hardware design.
The second stage of the Dell Trusted Device security strategy focuses on protecting the lowest levels of code in the Dell Trusted Device – the “first line of defense” for modern PCs against sophisticated adversaries. Protection begins with the PC boot process and continues with the boot chain. The objective is to prevent the PC from executing unauthorized code, thereby providing a safe foundation for the operating system and user applications.
The Dell Master Password is another powerful security feature for the Dell Trusted Device. It uses a shared secret algorithm to allow Dell Customer Support to offer a device-specific unlock password to unlock the system. This is a low-tech solution that can be performed when network-based remediation is not available.
Built-in detection mechanisms help Dell provide visibility into new adversarial techniques targeting endpoints. For instance, Intel Boot Guard is a highly effective detection tool for verifying the integrity of the initial boot block (IBB), the first piece of BIOS code to be executed by the processor. Dell Trusted Devices are configured with the most restrictive policy for Boot Guard which blocks all code access if the boot block verification fails during the Boot Guard check. This policy “bricks” the system, to limit an attacker’s access and reduce the overall incentive for tampering.
Dell Trusted Devices also include many layers of protection and detection to guard against BIOS tampering. A collaboration between Dell and VMware Carbon Black addresses the need for scale by allowing organizations to integrate SafeBIOS verification alerts and image capture ability directly within the VMware Carbon Black Audit & Remediation infrastructure.
In the event of a successful attack, restoring the Dell Trusted Device back to normal operating status as quickly and efficiently as possible can help to minimize the overall cost. For instance, the embedded controller of the Dell Trusted Device supports dual firmware images and a failover mode to allow backup firmware to recover the primary image if needed.
The Dell Trusted Device also has a robust recovery mechanism, ensuring that the BIOS can be reverted to a known good copy if compromised. Once invoked, the BIOS recovery will securely capture the nature of tampering for offline analysis into an adversary’s techniques.
Dell Trusted Devices produced since 2017 also include the Dell Data Wipe feature to securely removes all user data from the storage device. The user interface includes multiple confirmation prompts to avoid an accidental triggering.
The Future of Security
For DTUWC members worried about the next cybersecurity threat, rest assured that Dell’s security strategists and architects are continuously monitoring the threat landscape. Cyberattacks will continue to evolve, and because of this, Dell is committed to ongoing investments in hardening endpoints and updating the security features of the Dell Trusted Device.
Want to learn more? See the whitepaper here, or start a conversation with your community below!