BIOS protection refers to a set of security controls specifically designed to prevent unauthorized modifications to the system's firmware. These controls include features like setting a BIOS/UEFI administrator password, which restricts access to configuration settings, and implementing Secure Boot. Secure Boot ensures that the system only boots using firmware and software that is digitally signed by a trusted source. These mechanisms directly address the threat of unauthorized firmware modification by creating a hardware-enforced chain of trust and access control, thus preventing malicious changes before they can be executed.

A. An intrusion detection system (IDS) is a detective control that monitors for malicious activity but does not directly prevent firmware modification.

C. BIOS monitoring is a detective, not a preventative, control. It alerts administrators to changes after they have already occurred.

D. Data backups are a recovery control. They are essential for restoring operations after an incident but do not prevent the incident itself.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-193, Platform Firmware Resiliency Guidelines. Section 3.1, "Protection," states, "The goal of Protection is to ensure that platform firmware code and critical data remain in a state of integrity and are protected from corruption." This section details mechanisms like digital signatures to prevent unauthorized modifications.

2. National Institute of Standards and Technology (NIST) Special Publication 800-147B, BIOS Protection Guidelines for Servers. Section 3, "BIOS Protection Requirements," outlines mandatory security capabilities for BIOS, including requirements for "Secure BIOS Update" (Section 3.1) which mandates cryptographic authentication of all firmware updates to prevent unauthorized code from being installed.

3. Unified Extensible Firmware Interface (UEFI) Forum, UEFI Specification Version 2.9. Chapter 32, "Secure Boot and Driver Signing," describes the Secure Boot protocol, a core BIOS/UEFI protection feature. It is designed to "prevent the execution of unauthorized code during the boot sequence."

4. P. Karger, A. Safford, D. & Wheeler, L. (2004). A Retrospective on the VAX VMM Security Kernel. IEEE Transactions on Software Engineering. This academic paper discusses the foundational concepts of secure boot processes, which are a form of BIOS protection, emphasizing the need to protect the initial system state from modification. (Available via IEEE Xplore, DOI: 10.1109/TSE.2004.86). The principles discussed are foundational to modern BIOS protection.