Finding the right balance between security and usability
Do you think it’s you who is in control of your computer? And, if your answer is “yes,” are you sure you are the only one who can control it? Out of all possible computer threats, the most dangerous are those capable of taking full control over the computer. Outstanding among these are the so-called firmware rootkits. Firmware is the code that governs the process of booting a computer’s system. Naturally, if malicious components in the firmware give the go-ahead to the malware of the attacker’s choice – and protect it from any blocking attempts – there is nothing to prevent such malware from running. On top of their ability to take control over the computer, malicious firmware components are also extremely persistent – they survive most traditional security measures. Rebooting the system does not help as it leaves firmware intact – which is also the case with reinstalling the system, formatting the hard drive and even replacing the hard drive. In principle, there are only two means for removing malicious components from the firmware: reflashing the so-called SPI memory where the critical parts of firmware reside or replacing the computer’s motherboard. Let’s have a look at options available for who that care about retaining control over their computer. The options are listed from the most secure to the riskiest ones. Naturally, the safest means of securing a computer are also those that are the most demanding on the user. Fortunately, this dependency is not linear, and reasonable solutions can be found for particular use cases.
Don’t use a computer Yes, this option is listed at the very top for the sake of completeness. However, where there are extremely high security concerns, it is a viable option. Slightly modified, this option may look like “Take your computer offline.” If “offline” means that the computer is air-gapped from any network, with USB drives disabled and other security holes plugged, the resulting level of security might get close to not using a computer at all. Unfortunately, for most use cases, a totally air-gapped computer equals no computer at all. This option makes sense only under specific circumstances, for example in industrial control systems. Use a specially designed, tamper-proof device Solutions like using a tamper-proof device or a computer without a hard drive are less extreme than avoiding computers altogether – but typically, they are still out of reach for organizations, even those that are security conscious. The problem is that all broadly available computers have closed-source software that can’t be inspected for bugs or intentionally introduced backdoors. On top of this, many components that once were physical are now software-defined. For example, the camera and microphone are typically controlled by software. To be genuinely tamper-proof, a computer needs to be laden with a variety of security measures, sensors that can detect attempts to physically tamper with the device, as well as a self-destructing mechanism to wipe the drive’s encryption key. Such computers are much more expensive than conventional computers of comparable performance. They contain more components and have unique features that are hard to develop – and all the “economy of scale” benefits are inaccessible due to small production numbers. To some extent, the answer to the risk of having the computer tampered with may be a combination of not having any sensitive data present in the device and being able to determine if the device was or was not compromised when it was out of the user’s control. These so-called tamper-evident computers prevent their users from being spied upon via malware planted in the device under, for example, the cover of a security check. Use a bootable DVD on a computer with no hard drive It is a non-trivial task to make sure a computer boots a verified system, and not a version compromised by an attacker, without using a tamper-proof device. Another viable solution is to use a computer stripped of the hard drive and booted from external storage. As a condition for maintaining the targeted level of security, the external storage – a flash disk, or, typically, a DVD – must be kept safe from possible tampering, which is easier to guarantee compared to protecting the computer itself. (An alternative to a traditional standalone computer with no hard drive is a thin client or a “dumb” computer, which can only connect to a predefined server.) Along with having the boot process under control, the no-hard-drive solution has another advantage: it reduces the security perimeter to data in use, as there is no data at rest under this scenario. Apart from being disk-less, the devices used for this level of security are standard computers – or, at least, are based on conventional machines, often even Windows ones, with some minor modifications. Yet, open-source operating systems, ideally with stripped-down functionality, whose code can be audited, suit better for this purpose. Examples are the Qubes OS or Tails OS. The lack of persistent storage, which is the main source of security in these devices, can be considered the main reason these solutions are not more ubiquitous, even though they bear no significant cost disadvantage. Without being able to store the work-in-progress locally, these computers are totally dependent on connectivity. Manage a set of specialized tools Even with a standard (i.e., off-the-shelf) Windows computer, the overall level of security can be increased substantially by using specialized tools for verifying the integrity of the system; checking, on a regular basis, the content of the hard disk; and most importantly, checking the state of the installed applications. Sandboxing apps are also extremely helpful, especially if they are utilized for running applications in a virtual machine. Examples of other useful tools are secure delete tools, tools for analyzing the network traffic generated by the computer (note that these must be out of the computer’s reach) or storing the event logs in a manner that prevents them from being tampered with. Use a security product with UEFI scanner technology For those who fear having their computer compromised, malicious firmware modifications are the most worrisome. Unfortunately, these so-called UEFI rootkits – a holy grail for cyber attackers of all kinds – are hard to detect unless the defense waives a lot in terms of both cost and usability. Fortunately, there is one exception: the ESET UEFI Scanner, which is the only technology of its kind on the market that is integrated with endpoint security products. The ESET UEFI Scanner is a tool that makes firmware available for scanning. Subsequently, the firmware’s code is scanned – regularly or on demand – by malware detection technologies. Integration with the security product guarantees that the overall process is seamless for the user. Use an established, reputable security solution Undoubtedly, reputable security solutions increase the overall endpoint level of security significantly. The differences in their core capabilities tend to get narrower over time, which is witnessed by their closely similar performance in independent tests. However, where the security provided by these solutions diverges are additional technologies and features. As for firmware security, none of the leading endpoint security solutions – considering at least the top 20 security solutions by revenue – can scan UEFI firmware except for ESET products. Without the ability to scan a computer’s firmware, the users of these solutions have to go through the hassle of managing an external scanner or take the risk of leaving their computer vulnerable to firmware-targeting attacks. Use a so-called next-gen product While some of the solutions by established security vendors do a decent job in protecting their customers, there are also some security products that promise miraculous protection and do not deliver on their claims. Often, they claim their protection to be “signature-less” and based on machine learning and “pure math.” To be clear: today, no security solution relies on specific signatures. Instead, generic detections based on features are used that can detect higher number variants of malware – up to tens of thousands. As for machine learning, it has been broadly implemented across the industry since the mid-1990s. And the “pure math” narrative is complete nonsense as the training sets for machine learning models must be perfectly clean: if trained on wrongly classified or unclassified samples, the final model cannot perform well. Rely on your operating system and its built-in security features In theory, security features integrated with the operating system should best serve the purpose of protecting the computer. In theory, it should be possible to build bug-free operating systems. In practice, neither of these theories work. Bugs continue to be found in those millions of lines of code – and built-in security features designed to protect the very same system continue to fail in doing the job. The cost of having the computer protected seamlessly is having only mediocre protection, compared to security solutions by established vendors. With vulnerabilities in the basic protection, it makes no sense to scan firmware for malicious code as attackers have many more easy options to establish their presence in the computer. Ignore security Unfortunately, computer security worst practices such as not patching the system or the applications and clicking on everything clickable while signed in as administrator are still commonplace. In theory, those utilizing such practices should at least carefully back up their data. In reality, it is not something one can reasonably expect. Unfortunately, reckless users are those who propel cybercrime by unwillingly renting their computers’ resources to botnet operations and paying ransoms, making the internet a less secure place for everyone.