Sponsored We can all agree that endpoint security is important and also that it is a pain to enforce . Because of people . Worker carelessness is the most potent threat to endpoint security1, according to US IT decision makers.
When defending against malware there are well-established routines including obvious items such as using accounts of least privilege, proactive security, good patching hygiene and updated antivirus software . But is this enough ? In a word, no workers will, if they can, always take shortcuts that may expose their organisations to bad actors . The IT world is, however, moving beyond that somewhat rudimentary stance. For instance, with Windows 10, Microsoft has doubled down on some of the security concepts and ideas built into previous generations of the software that were not universally used or were difficult to implement.
In addition, Windows 10 security is fortified by a lot of the intensive workloads (eg, Full Disk Encryption) handled in silicon . Indeed, Microsoft and Intel have developed quite the partnership, with features baked into newer CPUs such as the 7th Gen Intel Core vPros to deliver a secure endpoint computing platform for Windows 10 . According to Intel, this is achieved “without complicating worker efficiency”. For instance, Microsoft’s Device Guard2, available for Windows 10 Enterprise and Windows Server 16, changes from a “mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorised by your enterprise . You designate these trusted apps by creating code integrity policies.”
Underpinning its defences, Device Guard uses Intel Virtualization Technology (Intel VT) to, says Intel, isolate critical validation in containers that are nearly invisible and less accessible to malware. “At the vulnerable moment of boot, before any security software is even able to turn on, Intel BIOS Guard and Intel Boot Guard also help Unified Extensible Firmware Interface (UEFI) for Secure Boot help ensure the coast is clear before handing control over to the operating system.”
TPM: It can be useful!
One example of a much-maligned and misunderstood item is that of the TPM (trusted platform module) built into modern devices.
Many sysadmins either misunderstand or ignore the ease of use that TPM can bring to environments of all sizes . But TPM really is the backbone of secure computing. Some functionality requires TPM . There are also multiple ways to use it but it really does depend on your environment . In practice, the main aim of TPM is to make computing simple while also being secure.
Windows 10 takes these solid security practices and makes them easier (albeit occasionally taking away the rights from the user, a la Windows update) . Unpatched machines are not what anyone wants . All future security in the hardware realm will be reflected in Windows 10. On the other hand, there are some features that, when pushed, users love . Windows Hello and Bitlocker are a couple examples of software that uses some of the advanced hardware built into PCs and utilising TPM.
Forgot your password ?
Forget about it
Windows Hello is a key facet of security hardware that makes life easier for bonafide users and more difficult for hackers and malware . A lot of people poo-poo the idea of using a PIN to log into their computer (it can’t be secure, can it?) but there is more to it than the simple PIN used for bank cards, etc. When using a PIN with Windows 10 it is a rudimentary form of two-factor authentication . The PIN is unique to the device it is paired with . This is an example of two-factor authentication at work, something you have and something you know.
The PIN never leaves the device . What makes this more interesting still is that it requires no additional hardware . This simplifies the user experience and keeps the costs low as there is no need to support hardware tokens that are lost, broken or misconfigured. Intel has even released a new plugin for Edge to allow users to use their Windows Hello PIN to sites that support it . Replacing passwords is no bad thing . Leaky passwords lead to additional compromise.
The same functionality is available to business users but what makes it more powerful is that the PIN can unlock PKI infrastructure and ensure secure cryptographic communications between the user and the AD infrastructure and other providers that are set up to use PKI.
Leverage the power of the silicon
Underlying this simpler, more secure hardware platform is the cryptography built into modern CPUs, which have AES, the currently accepted gold standard, built into them. (There is serious degradation in performance when software has to perform these tasks: silicon wins every time in terms of speed.)
This means that users or administrators can deploy Bitlocker in just a few clicks . Although some may think “whatever”, consider the bigger picture . Device theft is a serious issue for business . Having full disk encryption saves the company from having a full-scale security breach on their hands as the attacker would need to know the credentials in order to access the data. With Windows 10 Enterprise, Microsoft has introduced Windows Defender Credential Guard3 to combat misused, default or stolen credentials . The software leans on hardware platform security for several features, managing use of Intel VT to isolate credential keys in containers where hackers have less visibility.
Microsoft explains the identity protection technology thus:
Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them . Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket . Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. There is no reason to not use full disk encryption . What makes Windows 10 even more secure is that there is no need to have multiple passwords .
That one pin can be used to authenticate the user for almost all local requirements.
Talking about bits and registers
Alongside this user authentication, some of the functionality of newer CPUs can be be deployed only using newer versions of Windows . Some protections did work in the world of 32-bit, but 64-bit is where it’s at . These protections mitigate common malware practices to prevent execution of code that the processor wasn’t meant to run. These include NX bit (No eXecute), a processor technology that goes hand in hand with DEP (Data Execution Prevention) functionality found in modern versions of Windows . In essence, NX bit allows the CPU to differentiate between application-executable data and normal application data . The CPU can then be prevented from running some executable data in the application data space . This was one of the big ways in which malware got in.
ASLR (Address Space Layout Randomisation) was available in earlier versions of Windows, but Microsoft have gone to town on this feature with Windows 10 . ASLR originally existed to randomise the locations used by software and make them difficult to locate if an application knew ahead of time where it would be located it could overwrite that code with its own instructions and give the attack vector an elevated privilege . ASLR does work on 32-bit systems but nowhere near as effectively as on 64 bit systems . Let me put it simply: anyone running a 32-bit version of Windows is not playing with a full deck. So you are under attack .
Here, Intel touts the benefits of AMT (active management technology) and recommends that organisations install Intel Manageability Commander into their Microsoft System Center Configuration Manager (SCCM) consoles . Subject to certain connectivity limitations, this team-tag enables IT operations managers to remotely take a compromised device off the network so a virus doesn’t spread . If the operating system is down or the device is without power, the Intel MC-SCCM combo delivers out-of-band flexibility that means you can be prepared for recovery . Processor-based devices can be reimaged and remotely brought back to a good state . Intel also touts the additional data protection benefits of devices incorporating its solid-state drives such as the Intel SSD Pro 6000p . With Intel MT activated you can remotely delete encryption keys using Intel Remote Secure Erase.
In summary, prevention is better than a cure . The Windows 10 7th Gen Intel Core vPro combination provides several advances in security that, when implemented correctly, can help prevent malware attempts .
All these new functions are no substitute for properly managing endpoints and using common sense and user education.
- Trump retweeted Posobiec on Monday
- Posobiec promoted the “Pizzagate” conspiracy
Posobiec is a Navy reservist and intelligence officer who has trafficked in debunked conspiracy theories and was retweeted by President Donald Trump this week. A Navy official told CNN on Wednesday that Posobiec’s security clearance is now being reviewed by his command, which considering whether his statements and behavior are in violation of the conditions of his clearance. Posobiec is one of many bombastic right-wing voices who have picked up steam online, posting nearly constantly to Twitter and earning the praise of Trump’s supporters as well as attention from the President himself.
NBC1 was first to report on Posobiec’s security clearance review.Posobiec responded to NBC’s report on Twitter, writing2, “‘I’ve always been honest and open about my military service and am proud to have worn the uniform . Why did no one from NBC simply ask me?”
“Outrageous that fake news media’s first reaction was to attack my service record with the US military . Shameful!” he tweeted later. Trump on Monday retweeted a post from Posobiec decrying the lack of “national media outrage” over shootings in Chicago during the weekend that Charlottesville, Virginia, became a national flashpoint. Posobiec’s military record showed he enlisted in the US Navy in 2010 . His latest rank was junior-grade lieutenant, and as of April 2017, he was a Navy reservist who worked in Strategic Command Intelligence . His record said he served in Guantanamo Bay for nearly a year.
CNN’s Ryan Browne contributed to this report.
Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post1 claiming endpoint security vendor Carbon Black’s Cb Response protection software would, once installed for a customer, spew sensitive data to third parties . This included customers’ AWS, Azure and Google Compute private keys, internal usernames and passwords, proprietary internal applications, and two-factor authentication secrets, allegedly. Jim Broome, president of DirectDefense, said the problem stems from the way Cb Response patrols corporate file systems, and transmits data out to third-party malware scanners to check whether files are legit or infected with nasties . If the Cb Response installation doesn’t recognize a document or executable, it can punt it out to multiple scanners to see if they have come across the binaries before, and if they’re safe or need quarantining.
“This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay,” he explained.
“Welcome to the world’s largest pay-for-play data exfiltration botnet.”
Broome said that his team had discovered this flow of data while working for a client last year, and have since found multiple organizations using the Cb Response system . He said his team went public with its findings to warn people without informing the vendor and put out a press release2 to highlight the supposed danger. However, Carbon Black has fired back with a blog post of its own, claiming DirectDefense got its facts wrong . It’s not a bug causing the data emissions it’s a feature.
Bug ? Feature?
“This is an optional feature, turned off by default, to allow customers to share information with external sources for additional ability to detect threats,” said3 Michael Viscuso, cofounder of Carbon Black.
“In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis .
This option can be enabled by a customer, on a per-sensor group basis . When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.”
He pointed out that even with the information sharing feature turned on, users can customize exactly what data is sent out of the network . There’s also a popup warning page telling admins that they are sending data outside the company network. He also notes that DirectDefense could have contacted them about this before creating a big fuss about it, and Carbon Black would have explained the issue. A spokeswoman for DirectDefense told The Register that they didn’t tip off Carbon Black about the issue because it didn’t consider the data transmission a vulnerability, instead describing Cb Response as suffering “a function of how the tool is architected” in the original blog.
“However, the recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.”
So DirectDefense decided to “educate users” about the issue, albeit in somewhat alarmist terms .
Education or PR stunt that backfired you decide.