Adding Pre-Boot User Authentication for Sensitive Data Security
Pre-boot user authentication is a vital tool for federal agencies seeking to protect sensitive or classified data from adversaries with direct resource access (ADRs).
Cyber threat actors who physically possess your endpoint hardware and can gain entry to its contents before the boot loader or boot sequence starts can carry out a wide variety of exploits with dire consequences. Layering a pre-boot authentication (PBA) security mechanism, along with hardware encryption and multifactor authentication (MFA), to your endpoint protections will effectively secure your data from unauthorized access.
Here we will go into the details of using pre-boot authentication in a secure environment that is separate from the boot sequence of a given device. Using this tool in your boot process, you can effectively block unauthorized access by many types of ADR threat vectors.
The vulnerability of endpoints at the boot loader
Federal agencies use many types of endpoints such as laptops, mobile devices, printers and scanners, and IoT devices, and network components that connect them. They all contain or can give access to sensitive and classified data.
While they vary in form, the endpoints you use all share common vulnerabilities. One that is all-too-often overlooked is device susceptibility to attack before its boot loader begins initialization. Without pre-boot authentication (PBA) or power-on authentication (POA), your sensitive data is open to attack in this window of exposure.
The attack methods ADRs use to compromise devices
Your endpoints, from the simplest IoT sensor to a sophisticated network of devices, are vulnerable to attack during the device power-on process. From when the boot loader initializes the device until its operative system is running, ADRs can compromise its protections.
Threat actors can attack via various methods:
- Hardware tampering: An ADR may alter a component of your device or connect an apparatus that gives them the ability to bypass security.
- Cold boot attacking: Device RAM has residual data that an ADR can use to extract sensitive information, even encryption keys.
- Attacking firmware: An intruder can manipulate the firmware of a device for use in further exploits, from extracting or destroying data to intercepting communications to installing malware.
Layering pre-boot authentication to for tamper-proof devices
Adding the protection of pre-boot user authentication to the BIOS, UEFI or the device boot loader creates a secure environment that is external to the device operating system. It closes the vulnerability that exists in your endpoints before the operating system initializes and is fully loaded.
Pre-boot authentication protects a device in the hands of an adversary by verifying the identity of a user before providing access to data and apps on the device. It works within the boot sequence in this way:
- During power-on, instead of the boot loader booting directly into the device operating system, it pauses for pre-boot authentication.
- The PBA displays an authentication prompt asking the user to enter their credentials, which could be a simple password or PIN, security token, or biometric data.
- With successful user authentication, the device decrypts the disk and the operating system proceeds to load, providing access to the system and data.
Pre-boot authentication during device powering on enhances security. Even if a cyber attacker has
physical access to your device, they cannot access the data on it if they cannot authenticate their identity. They will not be able to bypass the operating system and gain access by booting from an external device when you have deployed this critical layer of defense.
The commonly used security frameworks that require pre-boot user authentication include these and others:
-
Federal Information Processing Standards (FIPS)
-
NSA Commercial Solutions for Classified (CSfC) program for data at rest (DAR)
-
National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF)
-
U.S. Department of Defense (DoD) Defense Federal Acquisition Regulation Supplement (DFARS)
-
Zero Trust requirements outlined in the US Executive Order 14028
Layering PBA into an Ecosystem of Protection
PBA is an essential component of a “defense in depth” security strategy that layers in security mechanisms to be used together to protect your cyber assets and vulnerable endpoints.
Layered security strategies slow attackers down and hinder their ability to initiate and carry out exploits. In some cases, layered protection for DAR stops them cold. In either case, you have time to detect and counteract the attack.
Layering PBA with hardware encryption and multifactor authentication (MFA) requires user authentication prior to accessing a device before the boot loader initiates. It functions as a gatekeeper that protects the encryption key and data on a device. You can add these security levels:
PBA with hardware encryption
Adding dedicated hardware components strengthens your security stance. Self-encrypting drives automatically encrypt disk contents. You can store encryption keys in a trusted platform module (TPM) that can’t be accessed until pre-boot authentication is successful.
PBA with multifactor authentication
Requiring two forms of authentication in combination with PBA ensures that access is only granted after multiple forms of user authentication are successful. MFA options include requiring a password and biometric identification, a password and security token, or a password with a one-time code provided through another device.
Integrating these security layers in a defense in depth deployment, the process is similar to the stand-alone PBA process. In this case, the PBA is configured to require MFA. Upon successful user authentication, the PBA unlocks the hardware encryption. Then the boot loader initiates the operating system and the drive systems and DAR decrypt.
PBA is a small investment in much stronger security
Federal agencies with sensitive data and multiple vulnerable endpoint devices cannot skip the added security that PBA provides. When PBA is layered with multiple protections and full disk encryption, your data at rest and system files remain secure and inaccessible by ADRs.