Title

An IS has its BIOS set to allow a boot from a USB device. (Cat I impact)

Discussion

If an IS's BIOS is left set to allow it to be booted from a USB device, an individual can plug a USB device into the IS and force a reboot, either performing a hardware reset or cycling the power. This can lead to a denial of service. Additionally this can lead to the compromise of sensitive data on the IS that was rebooted and possibly to the network the IS is attached.

Check Content

The reviewer will interview the IAO or SA to verify that no IS has its BIOS set to allow a boot from any USB device. Note an IS can be booted from a USB device for maintenance or recovery purposes, but will never be allowed to do so when in normal use. Note: Some systems do not have a setting for disabling Boot from USB. In these cases, boot from USB should be moved to last in the boot device list in the bios. The risk is lessened not mitigated so the reviewer will mark this as a CAT 2 finding.

Fix Text

Develop a plan to check all ISs' BIOS settings as soon a possible. The check will verify that none of the BIOS are set to allow a boot from a USB device. Obtain CM approval for the plan and execute the plan.

Additional Identifiers

Rule ID: SV-6998r1_rule

Vulnerability ID: V-6776

Group Title: An IS BIOS is Set to Allow Boot from USB

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.