Sponsored We can all agree that endpoint security is important and also that it is a pain to enforce . Because of people . Worker carelessness is the most potent threat to endpoint security1, according to US IT decision makers.
When defending against malware there are well-established routines including obvious items such as using accounts of least privilege, proactive security, good patching hygiene and updated antivirus software . But is this enough ? In a word, no workers will, if they can, always take shortcuts that may expose their organisations to bad actors . The IT world is, however, moving beyond that somewhat rudimentary stance. For instance, with Windows 10, Microsoft has doubled down on some of the security concepts and ideas built into previous generations of the software that were not universally used or were difficult to implement.
In addition, Windows 10 security is fortified by a lot of the intensive workloads (eg, Full Disk Encryption) handled in silicon . Indeed, Microsoft and Intel have developed quite the partnership, with features baked into newer CPUs such as the 7th Gen Intel Core vPros to deliver a secure endpoint computing platform for Windows 10 . According to Intel, this is achieved “without complicating worker efficiency”. For instance, Microsoft’s Device Guard2, available for Windows 10 Enterprise and Windows Server 16, changes from a “mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorised by your enterprise . You designate these trusted apps by creating code integrity policies.”
Underpinning its defences, Device Guard uses Intel Virtualization Technology (Intel VT) to, says Intel, isolate critical validation in containers that are nearly invisible and less accessible to malware. “At the vulnerable moment of boot, before any security software is even able to turn on, Intel BIOS Guard and Intel Boot Guard also help Unified Extensible Firmware Interface (UEFI) for Secure Boot help ensure the coast is clear before handing control over to the operating system.”
TPM: It can be useful!
One example of a much-maligned and misunderstood item is that of the TPM (trusted platform module) built into modern devices.
Many sysadmins either misunderstand or ignore the ease of use that TPM can bring to environments of all sizes . But TPM really is the backbone of secure computing. Some functionality requires TPM . There are also multiple ways to use it but it really does depend on your environment . In practice, the main aim of TPM is to make computing simple while also being secure.
Windows 10 takes these solid security practices and makes them easier (albeit occasionally taking away the rights from the user, a la Windows update) . Unpatched machines are not what anyone wants . All future security in the hardware realm will be reflected in Windows 10. On the other hand, there are some features that, when pushed, users love . Windows Hello and Bitlocker are a couple examples of software that uses some of the advanced hardware built into PCs and utilising TPM.
Forgot your password ?
Forget about it
Windows Hello is a key facet of security hardware that makes life easier for bonafide users and more difficult for hackers and malware . A lot of people poo-poo the idea of using a PIN to log into their computer (it can’t be secure, can it?) but there is more to it than the simple PIN used for bank cards, etc. When using a PIN with Windows 10 it is a rudimentary form of two-factor authentication . The PIN is unique to the device it is paired with . This is an example of two-factor authentication at work, something you have and something you know.
The PIN never leaves the device . What makes this more interesting still is that it requires no additional hardware . This simplifies the user experience and keeps the costs low as there is no need to support hardware tokens that are lost, broken or misconfigured. Intel has even released a new plugin for Edge to allow users to use their Windows Hello PIN to sites that support it . Replacing passwords is no bad thing . Leaky passwords lead to additional compromise.
The same functionality is available to business users but what makes it more powerful is that the PIN can unlock PKI infrastructure and ensure secure cryptographic communications between the user and the AD infrastructure and other providers that are set up to use PKI.
Leverage the power of the silicon
Underlying this simpler, more secure hardware platform is the cryptography built into modern CPUs, which have AES, the currently accepted gold standard, built into them. (There is serious degradation in performance when software has to perform these tasks: silicon wins every time in terms of speed.)
This means that users or administrators can deploy Bitlocker in just a few clicks . Although some may think “whatever”, consider the bigger picture . Device theft is a serious issue for business . Having full disk encryption saves the company from having a full-scale security breach on their hands as the attacker would need to know the credentials in order to access the data. With Windows 10 Enterprise, Microsoft has introduced Windows Defender Credential Guard3 to combat misused, default or stolen credentials . The software leans on hardware platform security for several features, managing use of Intel VT to isolate credential keys in containers where hackers have less visibility.
Microsoft explains the identity protection technology thus:
Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them . Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket . Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. There is no reason to not use full disk encryption . What makes Windows 10 even more secure is that there is no need to have multiple passwords .
That one pin can be used to authenticate the user for almost all local requirements.
Talking about bits and registers
Alongside this user authentication, some of the functionality of newer CPUs can be be deployed only using newer versions of Windows . Some protections did work in the world of 32-bit, but 64-bit is where it’s at . These protections mitigate common malware practices to prevent execution of code that the processor wasn’t meant to run. These include NX bit (No eXecute), a processor technology that goes hand in hand with DEP (Data Execution Prevention) functionality found in modern versions of Windows . In essence, NX bit allows the CPU to differentiate between application-executable data and normal application data . The CPU can then be prevented from running some executable data in the application data space . This was one of the big ways in which malware got in.
ASLR (Address Space Layout Randomisation) was available in earlier versions of Windows, but Microsoft have gone to town on this feature with Windows 10 . ASLR originally existed to randomise the locations used by software and make them difficult to locate if an application knew ahead of time where it would be located it could overwrite that code with its own instructions and give the attack vector an elevated privilege . ASLR does work on 32-bit systems but nowhere near as effectively as on 64 bit systems . Let me put it simply: anyone running a 32-bit version of Windows is not playing with a full deck. So you are under attack .
Here, Intel touts the benefits of AMT (active management technology) and recommends that organisations install Intel Manageability Commander into their Microsoft System Center Configuration Manager (SCCM) consoles . Subject to certain connectivity limitations, this team-tag enables IT operations managers to remotely take a compromised device off the network so a virus doesn’t spread . If the operating system is down or the device is without power, the Intel MC-SCCM combo delivers out-of-band flexibility that means you can be prepared for recovery . Processor-based devices can be reimaged and remotely brought back to a good state . Intel also touts the additional data protection benefits of devices incorporating its solid-state drives such as the Intel SSD Pro 6000p . With Intel MT activated you can remotely delete encryption keys using Intel Remote Secure Erase.
In summary, prevention is better than a cure . The Windows 10 7th Gen Intel Core vPro combination provides several advances in security that, when implemented correctly, can help prevent malware attempts .
All these new functions are no substitute for properly managing endpoints and using common sense and user education.
Call for Belfast City Hall security to be increased after heroin addict is seen ‘shooting up’ in iconic building
Call for Belfast City Hall security to be increased after heroin addict is seen ‘shooting up’ in iconic building
Fears are growing that Belfast City Hall is becoming a hub for illicit drugs activity after it was claimed a heroin addict was seen shooting up in a toilet. http://www.belfasttelegraph.co.uk/news/northern-ireland/call-for-belfast-city-hall-security-to-be-increased-after-heroin-addict-is-seen-shooting-up-in-iconic-building-35835915.html
Fears are growing that Belfast City Hall is becoming a hub for illicit drugs activity after it was claimed a heroin addict was seen shooting up in a toilet. A council employee said they then saw the man fleeing half-naked in full view of tourists and visitors shortly before lunchtime on Tuesday.
Belfast City Council admitted that drug-taking paraphernalia was found in the City Hall toilets, while sources have told the Belfast Telegraph that drugs are a huge problem in the landmark building. The upsurge in illegal activity has coincided with a hike in visitor numbers, particularly with the exhibition centre in the west wing attracting more people through its doors.
There are plenty of hidey-holes for drug addicts to make use of, a City Hall insider told this newspaper.
There s also a daily and nightly gathering of drugs users at the Cenotaph. The eyewitness, who asked to remain anonymous, said they saw the man taking heroin before running out of the toilets on the ground floor of City Hall near the main entrance with his trousers hanging off him and no top on .
The shooting-up incident happened a day after a man in his 30s died from a suspected overdose in the toilets of a KFC restaurant in north Belfast. High Sheriff of Belfast Tom Haire revealed that he has had people removed from the Cenotaph for drinking alcohol, and called for increased security and more cameras at City Hall.
With increasing numbers of people around and in light of recent terror attacks in England, we need to bolster security both inside and outside the grounds, he said.
Our security staff do an excellent job, but we need more manpower, and although there already is CCTV in City Hall, we could do with bringing more cameras in. Mr Haire said he was familiar with problems of people gathering at the Cenotaph and said he was in favour of closing it off to the public.
My office overlooks the Cenotaph and I actually had to call security to ask them to remove half-a-dozen people drinking alcohol there, he said.
The DUP politician also said there should be a review of public toilet provision in the area because City Hall is often the first port of call for people who have no business being there . Councillor Jim Rodgers said he was becoming increasingly concerned about the city s drugs problem and he backed calls for security to be beefed up.
I ve had many complaints about people taking drugs not just within City Hall itself, but in the grounds as well and there has been a rise in the number of people using the loos to take drugs, said the Ulster Unionist.
Drugs is a major problem and we must do everything we can to address it.
I certainly don t want someone to be found dead from an overdose on council premises or anywhere else. UUP colleague Jeff Dudgeon said the incident was the downside of City Hall being widely open to the public.
There is a problem with heroin in the city and drugs misuse generally, he said.
We have significant security at City Hall, but you can t stand over everyone walking in and out.
Councillor Tommy Sandford said the unfortunate incident was something that every one of us should be worried about .
Hopefully it s a one-off . I m just sorry that it happened at all, he added. Belfast City Council said there was no attempt to pursue or apprehend anyone, and the identity of the person or persons involved is not known to us .
We can confirm that drug-taking paraphernalia recently was found in the City Hall toilets, it added.
However, it is inaccurate to say that a person was disturbed in the act of injecting drugs.
We are liaising closely with the PSNI and will continue to do so . There have been occasional discoveries of drugs paraphernalia in the grounds, including the Cenotaph area, but we would stress these finds are occasional.
In all such matters, we liaise closely with the PSNI . The grounds are monitored by CCTV and we also employ a contracted security company to patrol the grounds.
Security guard accused of breaking the jaw and knocking out the teeth of a Sydney man outside a Gold Coast hotel
- WARNING: GRAPHIC CONTENT
- Bouncer Dennis Faulkner has pleaded not guilty to breaking a man’s jaw
- Alleged victim Dominic Beinke suffered fracture jaw, knocked out teeth
- He denied provoking Faulkner before the attack on the Gold Coast in 2014
- CCTV footage shows the men scuffling on the ground outside a hotel
A Sydney 2man has denied provoking a security guard before being punched and having his jaw broken outside a Gold Coast hotel over three years ago. Dennis Hecta Tipene Faulkner is on trial on one count of grievous bodily harm at Southport District Court after the incident outside the Grand Chancellor Hotel in Surfers Paradise on February 9, 2014. Alleged victim Dominic Beinke suffered a double fracture to his left jaw after being punched by Faulkner following a scuffle between the pair, Mr Beinke’s brother Patrick, and another guard. Bouncer Dennis Faulkner has pleaded not guilty to breaking a man’s jaw during a scuffle
Alleged victim Dominic Beinke shows the aftermath of his devastating injuries
Faulkner pleaded not guilty to the charge as the trial, set down for three days, began on Monday. The court heard the incident occurred shortly after Mr Beinke escorted Patrick from a friend’s engagement party back to the hotel where he was staying with another brother and his partner. After being let into the venue by security, the pair got into an argument with security when they were denied access to the hotel due to Patrick not having a key or identification. Mr Beinke told the court while his brother had got aggressive and demanded to be let into the hotel, he’d attempted to defuse an escalating situation.
CCTV footage played in court showed Mr Beinke and Patrick arguing with Faulkner. Mr Beinke claimed the guard said he was going to ‘knock out’ the pair. The alleged victim suffered a double fracture to his left jaw after being punched by Faulkner following a scuffle Further footage outside the hotel showed Patrick and the other guard scuffling on the ground when Faulkner swings a right fist into Mr Beinke’s jaw, felling him and leaving him momentarily unconscious. Faulkner’s barrister Chris Rosser said Mr Beinke and his brother had both been aggressive when they were denied access to the room, with Mr Beinke pushing his forehead against Faulkner’s. He said Mr Beinke’s claims Faulkner had promised to ‘knock out’ the pair was false and the pair had been constantly swearing and abusing the guard before the incident.
Mr Beinke denied provoking Faulkner before the attack on the Gold Coast in 2014 Mr Beinke denied Mr Rosser’s claims he’d called Faulkner a ‘dumb black c***’ and told him to ‘f*** off back to New Zealand’.
‘I do not agree with that at all,’ Mr Beinke said. ‘I was saying ‘I’m not going to fight you’.’ Mr Beinke admitted he and his brother were ‘somewhat’ intoxicated at the time of the incident but he ‘knew what was happening’.
The trial continues.
Sorry we are not currently accepting comments on this article.
‘; $(node).before(taboola_node); window._taboola = window._taboola || ; _taboola.push( mode: ‘thumbnails-b’, container: id, placement: “Stream Thumbnails ” + n); }; DM.has(‘infinite-list’, ‘InfiniteList’, url: ‘/api/infinite-list.html?channelShortName=news&pageSize=10’, total: 15.0, from: 0, onAfterAppend: function (container) var items = $(container).children(‘div’); if(!taboola_every_n) return; items.each(function () if (taboola_counter == 0) addTaboola(this); taboola_counter = taboola_every_n – 1; else taboola_counter–; }); } }); });