As our world becomes increasingly digitized, protecting critical mission systems across the hardware, firmware, and software layer stack is vital.
In this blog, you’ll learn about the technologies necessary to secure your high-performance computing solutions (HPCs) against unauthorized access and ensure mission success.
As workloads and operations in industries from critical infrastructure to the military continually transition to virtual media, the use of various new technologies has increased as well.
With the continual introduction of new technology, however, information can easily be accessed through devices that store and share data.
In the first half of 2021, cyberattacks increased 125 percent globally, with the average cost of a data breach totaling $4.24 million, nearly a 10 percent increase from 2020.
Additionally, cyberattacks have become more sophisticated, with cybercriminals using tactics backed by social engineering and artificial intelligence, rendering conventional defense methods ineffective.
Since technologies are implemented across a system’s many layers, organizations and individuals must take the necessary steps to address vulnerabilities among any of these layers.
In response to this growing threat, layered security is emerging as a preferred safeguard against hacker intrusion, specifically among various U.S. government agencies.
Layered, or multi-layered, security is composed of security systems that use multiple components to protect compute operations across a system’s levels (layers), so the most vulnerable areas of technology where a cyberattack can occur are kept safe.
Multi-layered security ensures that each component of a cybersecurity network has a back-up plan to counter any gaps or flaws.
A system has three primary layers: hardware (parts and components), firmware (instructions/applications stored inside components), and software (applications). Each of these layers has its own layers, in part due to the introduction of technologies like cloud services.
In the event of a cyberattack, any one of these layers can be targeted, so multi-layer security is necessary to minimize risk, as layers of security work together to form a set of barriers to detect and thwart attacks, bolstering defense and strengthening cybersecurity programs overall.
Let’s dive into some technologies that provide essential safeguards across the hardware, firmware, and software layer stack.
Table of Contents
FIPS 140-2 SEDs
- SEDs (self-encrypting drives) are drives that encrypt data as it is being written onto the disk. Each disk has a data encryption key (DEK) to encrypt data as it being written onto the disk and decrypt it as it is being read onto the disk. SEDs can be certified to FIPS (Federal Information Processing Standards).
- FIPS 140-2 is an IT security accreditation program for validating that the hardware, firmware, and software that implement approved security functions produced by private companies–also known as cryptographic modules–meet well-defined security standards.
Potential Threat: If unapproved cryptographic modules are used on sensitive data within the federal government, then a system is at risk of being hacked, altered, or tampered with, putting critical information at risk.
Definition: Intel PFR (Platform Firmware Resilience) is a solution that helps protect various platform firmware components through monitoring and filtering for malicious traffic or verifying platform firmware images before any firmware code is executed.
Potential Threat: As security protections advance, hacker attacks also become more sophisticated. Without the proper safeguards, sensitive or classified information is at risk of being stolen, erased, or altered.
Definition: BIOS (Basic Input Output System) is a customized firmware component used during the booting process for hardware initialization and managing data flow between a computer’s operating systems and attached devices.
Potential Threat: If the BIOS is not secured, then hackers can easily access and manipulate a computer’s information, gaining control over your system up to the highest level. Oftentimes, these data breaches are extremely hard to detect, even when using high-level scanning and other protective measures.
Response: A BIOS can be secured with passwords, drive encryption, or a trusted platform module (TPM) to ensure that only authorized personnel have access to a computer’s data and functionalities.
Definition: Secure boot is a feature that is found within your computer’s BIOS designed to ensure that your computer starts safely and securely by preventing unauthorized software from taking control of your system at bootup.
Potential Threat: If secure boot is not enabled or disabled, then your computer is vulnerable to malware that take over your computer and make your operating system inaccessible, leaving highly sensitive data at risk and potentially rendering your system inoperable.
Response: Digital signature technologies called “keys” are used to verify (“sign”) messages to allow only software and firmware signed with approved keys to execute, ensuring that your systems are protected against malicious attacks and unauthorized software.
Definition: Secure flash provides hardware-protected secure storage for security keys, certificates, password hashes, application-specific data, configuration data, code version information, and biometric sensor data for authentication; it can also support authenticated and encrypted transactions.
Potential Threat: Though software security solutions are the least expensive, they are also the least secure, leaving critical data at risk and potentially incurring higher costs down the line as a result of cyber attacks. Therefore, it makes sense to work with hardware security solutions, even if they are more expensive upfront, because they offer a higher level of protection and, as a result, offer more security.
Full disk encryption
Definition: Full disk encryption, or hard drive encryption, transforms information in a storage medium into a secret format that can only be understood by people or systems who are allowed access to the information. All information on the system’s hard drive is transformed from plaintext into ciphertext, protecting the entire disk volume and all files on the drive, as well as the operating system, against unauthorized access.
Potential Threat: If sensitive information is easily accessible, it makes the system an easy target for cybercriminals. If information is encrypted, it offers protection against cyberattacks by ensuring it is viewed only by authorized individuals.
Definition: Intel SGX (Software Guard Extensions) is hardware-based, instant memory encryption by a system’s CPU, isolating specific applications codes and data into private sections called enclaves that protect sensitive information from modification, deletion, or disclosure.
Potential Threat: If the information inside an enclave is not encrypted, then an external party can easily access the key and compromise any stored data. Additionally, if an application is running inside an enclave, unauthorized access could potentially mean that application will exit or instruct the destruction of the enclave, leading to a loss of important information.
Definition: Intel TME (Total Memory Encryption) encrypts all data passing to and from a computer’s CPU with a single transient key. Such information includes customer credentials, encryption keys, and other IP or personal information.
Potential Threat: Memory attacks have quietly emerged as a new class of hacking techniques to undermine conventional security measures. This new threat includes attacks at the hardware level such as removal and reading of dual in-line memory modules (DIMMs) or the installation of attack hardware. Without Intel TME, hackers can access critical data, encryption keys, or install malware, compromising the security of your system.
Definition: IPMI (Intelligent Platform Management Interface) is an independent hardware solution that enables you to control and manage your servers, constantly monitoring server health and issuing warning of possible failures, regardless of location, installed operating system, or if the system is on.
Potential Threat: Devices with IPMI exposed are at risk of being compromised at the Baseboard Management Controller (BMC) level, where hackers can reboot the system, install a new OS, and access critical data, bypassing any system controls.
Response: IPMI should be restricted to private management networks. If it is not used or you must run it on a public network, block its MAC address to limit access to your virtual local area network only.
Definition: Multi-factor authentication (MFA) is a security technology that requires at least two methods of authentication from different credentials to verify a user’s identity for login or another transaction.
Potential Threat: Traditional authentication methods like passwords can easily be compromised, and hackers can use password cracking tools to hack into a system by trying different combinations of usernames and passwords until they hit the correct one. Even though some systems may lock potential users out after a certain amount of incorrect attempts, there are still other ways hackers can access a system.
Response: Some forms of multi-factor authentication include knowledge of what the person knows (i.e. password), what the person has (i.e. security token), and who the person is (i.e. facial recognition).
Pre-boot and post-boot authentication
Definition: Pre-boot authentication requires the input of an identifier before allowing the operating system of a computer to boot; post-boot authentication requires the input of an identifier after the operating system boots.
Potential Threat: There are ways to circumvent traditional methods of OS authentication, and failing to require pre-boot and post-boot authentication leaves sensitive data without the necessary safeguards against unauthorized access.
Response: Some methods of authentication include requiring the entry of a username and password or a physical device coupled with data encryption to ensure that the proper authentication identifier is used before critical information can be accessed.
Definition: A hypervisor, also known as a virtual machine monitor (VMM), is software that creates and runs virtual machines (VMs). This allows one host computer to support multiple guest VMs by virtually sharing its resources, such as memory and processing, to other computers in the network. In essence, this software enables virtualization.
Potential Threat: If hackers are able to get into the hypervisor software, then they will have access to all of the virtual machines and the data stored on them. Additionally, since hypervisors distribute virtual machines via a network, they can be susceptible to intrusions and denial-of-service attacks without the right protections.
Response: Some strategies to secure your system’s hypervisor include creating separate VM and management networks, setting access privileges, and disabling unnecessary services to protect critical data and ensure optimal performance.
Definition: An operating system (OS) manages a computer’s memory and processes as well as all of its software and hardware (ex. Windows, Linux). It is perhaps the most important software on a computer, allowing you to communicate with a computer and give commands.
Potential Threat: Failure to protect your OS can lead to the injection of malware, denial-of-service attacks, network intrusion, and buffer overload. This can impede performance and put sensitive information at risk.
Response: Some measures to improve OS security include authentication measures, one-time passwords, and virtualization through locked VMs to protect its confidentiality, functionality, and availability.
When designing a server, particularly those for use by the federal government or military, security is of the utmost importance.
With our increasingly virtual world comes a whole new class of cybercriminals armed with advanced tools and tactics to compromise critical information and weaken or destroy a computer’s functionalities.
As cybercriminals find ways to circumvent traditional security measures, it is crucial to establish a multi-layered defense strategy to guard all of a system’s possible points of attack and provide extra protection should one of the barriers be broken.
Learn more about the importance of securing critical mission systems across the hardware, firmware, and software layer stack to ensure data integrity at the highest level and ensure optimal performance.