1 00:00:00,610 --> 00:00:02,400 Securing the BIOS. 2 00:00:02,400 --> 00:00:04,130 What is the BIOS? 3 00:00:04,130 --> 00:00:07,300 Well, if you remember back to your CompTIA A+ studies, 4 00:00:07,300 --> 00:00:11,010 BIOS is a type of firmware which is software on a chip. 5 00:00:11,010 --> 00:00:14,290 The BIOS stands for the basic input output system. 6 00:00:14,290 --> 00:00:16,990 It's firmware that provides the computer's instructions 7 00:00:16,990 --> 00:00:19,990 for how it's going to accept input and send output. 8 00:00:19,990 --> 00:00:22,920 So, anytime the motherboard is going to talk to a keyboard, 9 00:00:22,920 --> 00:00:25,830 a mouse, a network card, a hard drive, 10 00:00:25,830 --> 00:00:27,890 a video card, whatever it is, 11 00:00:27,890 --> 00:00:30,360 it has to have instructions on how to do that. 12 00:00:30,360 --> 00:00:32,400 That's what the BIOS provides. 13 00:00:32,400 --> 00:00:34,300 Now, most modern computers don't have 14 00:00:34,300 --> 00:00:36,690 a traditional or legacy BIOS anymore. 15 00:00:36,690 --> 00:00:39,620 Instead, they use a U-E-F-I, or UEFI, 16 00:00:39,620 --> 00:00:42,730 known as the Unified Extensible Firmware Interface, 17 00:00:42,730 --> 00:00:44,460 but it's essentially the same thing. 18 00:00:44,460 --> 00:00:47,370 It's just more of an updated and robust version of it. 19 00:00:47,370 --> 00:00:49,760 Throughout this lesson, I'm going to refer to both of these 20 00:00:49,760 --> 00:00:52,460 as BIOS collectively instead of one or the other 21 00:00:52,460 --> 00:00:55,070 because for our purposes, they're equivalent. 22 00:00:55,070 --> 00:00:57,660 Now, when your computer boots up, it loads the BIOS, 23 00:00:57,660 --> 00:01:00,180 and the BIOS tells it how it's going to check the hard drive 24 00:01:00,180 --> 00:01:02,370 and figure out what the boot order is. 25 00:01:02,370 --> 00:01:03,630 Should it boot from the hard drive, 26 00:01:03,630 --> 00:01:06,640 the floppy disk, the CD, or the USB drive first? 27 00:01:06,640 --> 00:01:08,290 The BIOS controls that. 28 00:01:08,290 --> 00:01:10,250 Then, it's going to load the machine. 29 00:01:10,250 --> 00:01:12,600 Once it does that, it loads the operating system. 30 00:01:12,600 --> 00:01:14,890 And then, Windows is going to start taking over 31 00:01:14,890 --> 00:01:17,700 and be able to do a lot of the functions for the BIOS. 32 00:01:17,700 --> 00:01:19,820 The BIOS is very low level. 33 00:01:19,820 --> 00:01:22,920 As such, it only deals with very basic tasks. 34 00:01:22,920 --> 00:01:24,610 Once the operating system has loaded, 35 00:01:24,610 --> 00:01:26,240 it gives you a ton of additional 36 00:01:26,240 --> 00:01:28,030 capability to your computer. 37 00:01:28,030 --> 00:01:30,540 Now, how are we going to secure this computer? 38 00:01:30,540 --> 00:01:32,840 Well, when we're talking about securing the BIOS, 39 00:01:32,840 --> 00:01:34,270 we're talking about securing everything 40 00:01:34,270 --> 00:01:36,590 up to the point when Windows is loaded. 41 00:01:36,590 --> 00:01:37,770 The first thing we want to do 42 00:01:37,770 --> 00:01:39,920 is what's called flashing the BIOS. 43 00:01:39,920 --> 00:01:42,150 Flashing the BIOS is simply ensuring that it has 44 00:01:42,150 --> 00:01:44,930 the most up-to-date software on that chip. 45 00:01:44,930 --> 00:01:47,220 Because it's firmware, you have to do a process 46 00:01:47,220 --> 00:01:50,040 called flashing the BIOS to upgrade the BIOS. 47 00:01:50,040 --> 00:01:52,170 This allows you to remove what's currently on the chip 48 00:01:52,170 --> 00:01:55,250 and replace it with a newer, more updated version. 49 00:01:55,250 --> 00:01:57,820 Any time there's going to be a new update to the BIOS, 50 00:01:57,820 --> 00:02:00,420 the manufacturer releases it on their website. 51 00:02:00,420 --> 00:02:02,300 Generally, they'll give you a process 52 00:02:02,300 --> 00:02:04,110 that you can install it to a thumb drive, 53 00:02:04,110 --> 00:02:05,250 boot from that thumb drive, 54 00:02:05,250 --> 00:02:07,960 and then run a program to flash the BIOS. 55 00:02:07,960 --> 00:02:10,300 The next thing we want to do to help secure the BIOS 56 00:02:10,300 --> 00:02:12,980 is ensuring that you've set a BIOS password. 57 00:02:12,980 --> 00:02:15,940 This'll prevent anyone from being able to log into the BIOS 58 00:02:15,940 --> 00:02:18,090 and change the boot order or other settings 59 00:02:18,090 --> 00:02:20,930 without having this administrative password. 60 00:02:20,930 --> 00:02:22,270 You want to make sure that you're using 61 00:02:22,270 --> 00:02:25,010 a good long and strong password, 62 00:02:25,010 --> 00:02:27,060 just like you would for your Windows machine. 63 00:02:27,060 --> 00:02:29,320 But it should be one that's unique to your BIOS 64 00:02:29,320 --> 00:02:31,760 and not the same as your Windows machine. 65 00:02:31,760 --> 00:02:34,720 Next, you want to configure your BIOS's boot order. 66 00:02:34,720 --> 00:02:36,350 As you can see here on the screen, 67 00:02:36,350 --> 00:02:38,020 I've deselected the disk drive, 68 00:02:38,020 --> 00:02:40,140 the CD drive, and the USB drive. 69 00:02:40,140 --> 00:02:42,780 I only want to be able to boot from the internal hard disk 70 00:02:42,780 --> 00:02:44,950 and then from the network card. 71 00:02:44,950 --> 00:02:46,850 This helps me protect somebody from putting in 72 00:02:46,850 --> 00:02:50,170 a bootable distribution of a Linux CD or something like that 73 00:02:50,170 --> 00:02:52,010 and taking control of my computer. 74 00:02:52,010 --> 00:02:55,340 If I control the boot order, I control what's loaded. 75 00:02:55,340 --> 00:02:57,670 The fourth thing you can do to help secure your BIOS 76 00:02:57,670 --> 00:03:00,040 is disable any external ports and devices 77 00:03:00,040 --> 00:03:01,320 that you're not going to need. 78 00:03:01,320 --> 00:03:04,160 For example, do you still use a parallel port? 79 00:03:04,160 --> 00:03:06,990 Most people don't, and so you should disable it. 80 00:03:06,990 --> 00:03:09,040 The same thing happens with a serial port. 81 00:03:09,040 --> 00:03:10,480 No one really uses them anymore. 82 00:03:10,480 --> 00:03:12,830 We use USB, so you can disable it. 83 00:03:12,830 --> 00:03:15,320 You might have an onboard network card that you don't use. 84 00:03:15,320 --> 00:03:17,810 Whatever you're not using, you should always disable. 85 00:03:17,810 --> 00:03:19,540 It's one less thing for somebody to use 86 00:03:19,540 --> 00:03:21,120 as part of their attack. 87 00:03:21,120 --> 00:03:22,750 The fifth way to secure your system 88 00:03:22,750 --> 00:03:24,530 is to enable secure boot. 89 00:03:24,530 --> 00:03:26,350 When you enable the secure boot option, 90 00:03:26,350 --> 00:03:27,530 your computer is going to go through 91 00:03:27,530 --> 00:03:30,090 additional processes as it boots up. 92 00:03:30,090 --> 00:03:32,140 When the BIOS or the UEFI is loaded, 93 00:03:32,140 --> 00:03:34,110 it's going to go through and load the public key 94 00:03:34,110 --> 00:03:37,640 from the trusted platform module chip, known as the TPM, 95 00:03:37,640 --> 00:03:39,660 that's sitting inside your processor. 96 00:03:39,660 --> 00:03:41,540 It's going to use this to verify the code 97 00:03:41,540 --> 00:03:43,580 of the operating system that's being loaded 98 00:03:43,580 --> 00:03:45,210 and ensure that it's been digitally signed 99 00:03:45,210 --> 00:03:48,750 by the manufacturer and that it hasn't been modified since. 100 00:03:48,750 --> 00:03:51,160 This ensures that you have a trusted boot device, 101 00:03:51,160 --> 00:03:53,750 and ensures that you have a protected boot process, 102 00:03:53,750 --> 00:03:56,163 and your system is going to be much more secure.