IT Baseline Protection Manual S 6.27 Secure update of BIOS
S 6.27 Secure update of BIOS
Initiation responsibility: IT Security management, Head of IT Section
Implementation responsibility: Administrator
A lot of IT systems, for example PCs, require a Basic Input Output System (BIOS) for bootup and/or operation. This BIOS is composed of program code and data and is used to specify important configuration settings in the IT system and to provide elementary input and output functions. In many cases the actual operating system is loaded with these functions. This then either controls the hardware itself or else resorts to BIOS functions. The BIOS is normally stored in special storage modules (e.g. EEPROM or Flash EPROM), whose content is retained even when the power supply is switched off.
Especially in PCs, the large number of configuration possibilities available has had the result of making the BIOS very complex and hence more prone to errors. Many manufacturers have therefore moved towards implementing an update mechanism for the BIOS and regularly making available debugged versions of the BIOS. To carry out the BIOS updates, many manufacturers also offer a special program by means of which the content of the relevant storage modules can be overwritten.
In principle the BIOS update mechanism should be used so as to ensure that versions of BIOS that are error-free as far as possible are installed on IT systems. The following points should be considered here:
First of all a backup should be made of the currently installed BIOS. For this purpose the software provided by the manufacturer will usually offer an option for reading the installed BIOS and saving this as a file. If there are any problems after the BIOS updates, this BIOS version can be restored.
With central IT systems, for example, servers, network switching elements and private branch exchanges, the BIOS version currently in use should be archived along with the most recent version that was working. Care must be taken here to ensure that the file can be unambiguously assigned to the relevant IT system.
In many cases a BIOS update will have an effect on the stored configuration data. It may be that all the settings previously made are reset to the default values and are effectively lost. A modern BIOS for PCs is capable of determining a lot of configuration data itself ("auto detecting"). However, especially with special equipment, it can be necessary to document the settings made prior to the BIOS update. In this connection the recommendations of the manufacturer should be adhered to.
- BIOS updates and software for loading BIOS updates are often made available by the manufacturer on the Internet. Caution should be exercised here to ensure that these are obtained only from the manufacturer itself or from official mirror servers. In case of doubt the manufacturer should be asked to confirm whether a particular version provided on the Internet was actually released by the manufacturer.
Incompatibilities or damaged files can have the result that an IT system no longer functions after a BIOS update. Often it will no longer be possible to restore the previous, working BIOS version. Normally only the dealer or the manufacturer will then be able to get the device working again and the IT system may be out of service for some time. Therefore before updating the BIOS, steps must be taken to ensure that a suitable alternative solution (e.g. a replacement device) is available if such a failure would be unacceptable.
New versions of the BIOS should if possible be tested prior to use. However, this is only possible where there are several IT systems which all work with the same BIOS. In this case the new BIOS version should initially only be installed on one of these IT systems and the device should be monitored in operation for some time. If no problems arise, the other IT systems can then follow suit.
Some manufacturers do not recommend the latest BIOS version of their equipment. Instead, there are tables in which a particular BIOS version is recommended, depending on the operational scenario or model number of the IT system. This mainly concerns network switching elements. The recommendations of the manufacturer should be adhered to.
Additional controls:
Was the existing BIOS version backed up prior to the update?
Are BIOS updates only received from trustworthy sources?
Are the manufacturer's recommendations regarding the BIOS update adhered to?
The title and content of this safeguard have been changed. "Backing up of the CMOS-RAM", especially the hard disk geometry, is generally no longer necessary as virtually all modern hard disks support a corresponding autoconfiguration mechanism.