“Organizations should start by auditing their environment for the conditions that exist that leave them vulnerable to YellowKey,” said Eric Grenier, senior director analyst at Gartner. “They must also have a transparent understanding of their risk acceptance within the case of a lost/stolen device and, based on that acceptance (or non-acceptance), follow the steps equivalent to customizing Secure Boot and ensuring firmware and Boot integrity.” .
Karl Fosaaen, VP of research at cybersecurity company NetSPI, agreed. “Since this vulnerability requires physical access to take advantage of, organizations ought to be specializing in the physical security controls around their Windows devices,” he said. “Having strong policies and controls around physical access to devices is a very good first step in helping protect the possibly vulnerable devices. If there are additional concerns about attackers with the ability to gain access to files on the system, organizations can take a look at limiting the information that they permit users to store locally.”
One among the problems facing corporations is the proliferation of employees using mobile devices, which makes it harder for organizations to limit access to them. “You’re increasingly seeing corporations with corporate data on their laptops, and YellowKey can leave that data unlocked,” said Nathan Davies-Webb, principal consultant at UK-based security company Acumen. That is where tight device security policies come into play, equivalent to prohibiting users from leaving devices unattended.
Nonetheless, said Fosaaen, what makes detection of an attack particularly difficult for the person user is that it just isn’t immediately apparent that a tool has been targeted. “If an attacker used the exploit to read files from the encrypted volume, there likely wouldn’t be any indicators to a user. If the attacker implanted malicious software, you would possibly see increased system utilization, or other performance issues,” he noted.