Endpoint Vendors Address Threats by Building Defenses into Devices
With security concerns escalating, manufacturers look for innovative ways to protect their products
By the time you finish reading this sentence, a new type of malware will have been discovered in the wild. And with hackers churning out a new attack method roughly every four seconds, another 23,000 variants of malware will potentially target your computing devices by this time tomorrow.
Indeed, security is a massive challenge for every organization in every industry.
But the news isn’t all bad: PC vendors and processor chip makers are expanding their embedded hardware and software features to help IT departments to fend off more attacks and recover more rapidly.
Security at the Foundation
For example, vendors are bolstering their defenses against attacks that target a computer’s basic input-output system (BIOS), the firmware that runs when the machine boots up. By infecting the BIOS, the malware remains intact even when the computer reboots or when a user attempted to reflash the firmware.
One approach device manufacturers have taken to defend against such attacks is to put two BIOS chips in each PC. At boot up, the BIOS is checked against a known good copy stored in the second chip. However, the second chip must be writeable so its copy can be periodically updated.
“If the bad guys can get to the BIOS, then they can also get to the copy of the BIOS,” says Tom Ricoy, Dell director of product management for data security.
To improve security, Dell is making devices that store the BIOS copy in a secure cloud. When a difference is detected between BIOS copies, Dell’s solution quarantines the machine so a copy of the bad BIOS can be analyzed.
Securing the Supply Chain
The U.S. Department of Homeland Security’s “2009 Cyberspace Policy Review” highlighted the problem of reputable technology vendors mistakenly using infected components. Today, many PC vendors have policies to ferret out potential problems in their supply chain.
“Our Trusted Supplier Program performs an in-depth security evaluation on every intelligent component provider to Lenovo’s devices,” says Thorsten Stremlau, CTO of Lenovo's intelligent devices group.
During manufacturing, Lenovo also takes a detailed snapshot of each device, which becomes a document Intel signs and is then posted to the cloud.
“Now, any modifications made to the device in the supply chain process can be detected,” Stremlau says.
Dell says some enterprise customers scrutinize each vendor’s supply chain as part of their purchasing decision.
How Biometrics Can Simplify Security
Manufacturers are also using biometric measures to improve the security of their devices. By recognizing a user’s unique personal traits, such as fingerprints, facial features and even retinal patterns, endpoints can prevent unauthorized access.
Most computers are built with an integrated webcam, which hardware and software vendors are increasingly leveraging to support facial recognition. For example, Dell’s new Latitude 7400 bolsters security with the ExpressSign-in feature. The device incorporates Intel’s Context Sensing Technology to enable a proximity sensor that detects when the user is at the keyboard. Then Microsoft Windows Hello scans the user’s face for log-in.
“If you step away for a break, it recognizes that you’ve left, and will lock itself to preserve battery life and maintain security,” says Whitney Wilkes, Dell director of product marketing for client software.
Whether they’re recognizing faces or fingerprints, biometric features enhance security without the traditional trade-offs.
“‘Authentication’ historically meant ‘Let’s make it stronger by making it harder on the user,’” says Frank Dickson, IDC research vice president for cybersecurity products. “Now, there are a lot of things we can do in terms of leveraging the hardware to make improved authentication transparent and frictionless.”
Another example is Lenovo’s latest ThinkPad X1, whose Match-on-Chip fingerprint reader now supports Microsoft SecureBio to address the problems of weak and pilfered passwords.
“Some statistics say that over 80 percent of hacks are caused by exploiting weak passwords,” says Thorsten Stremlau, CTO of Lenovo's intelligent devices group. “Our customers ask us to provide solutions that allow the use of a secure biometric solution, or even use of multiple factors of authentication. Often in this space, there is a perceived mismatch of convenience for the end user versus enhanced security.”
Biometric solutions also offer another layer of protection against malware designed to harvest credentials.
“Most breaches involve some type of malware and some type of compromised credentials,” Dickson says. “So look for some kind of second or dual-factor authentication to make authentication better and easier.”
Ease the Security Burden on Users
When users consider security features to be too onerous, sometimes they’ll look for ways around them — potentially creating even bigger vulnerabilities. Biometrics are one way to avoid that problem. Manufacturers are also working to make sure that security features don’t hamper performance.
When considering computing devices, organizations should consider the extent to which security features use system resources.
“Our endpoint protection software uses less than 1 percent of CPU utilization,” says Dell’s Ricoy.
IT teams also should look for PCs with some memory and processor headroom so they can accommodate additional security features down the road. After all, attacks keep getting more sophisticated, and security measures must keep pace.
“Make sure you have a little extra memory,” says Alex Thatcher, HP director of new products for commercial PCs. “Don’t cut it so close, because that need for security and that extra overhead is not going away.”
Security features should be an important consideration in purchasing machines. Paying extra for valuable security features can be worth it if they prevent a costly data breach or minimize its damage. (A 2018 study by the Ponemon Institute found that the average cost of a data breach was $148 per compromised record.)