Pesky users! They're always compromising endpoints! Security baked into silicon helps

Intel chippery tech mitigates the most careless of workers


Sponsored We can all agree that endpoint security is important – and also that it is a pain to enforce. Because of people. Worker carelessness is the most potent threat to endpoint security, according to US IT decision makers.

When defending against malware there are well-established routines including obvious items such as using accounts of least privilege, proactive security, good patching hygiene and updated antivirus software. But is this enough? In a word, no – workers will, if they can, always take shortcuts that may expose their organisations to bad actors. The IT world is, however, moving beyond that somewhat rudimentary stance.

For instance, with Windows 10, Microsoft has doubled down on some of the security concepts and ideas built into previous generations of the software that were not universally used or were difficult to implement.

In addition, Windows 10 security is fortified by a lot of the intensive workloads (eg, Full Disk Encryption) handled in silicon. Indeed, Microsoft and Intel have developed quite the partnership, with features baked into newer CPUs such as the 7th Gen Intel Core vPros to deliver a secure endpoint computing platform for Windows 10. According to Intel, this is achieved "without complicating worker efficiency".

For instance, Microsoft's Device Guard, available for Windows 10 Enterprise and Windows Server 16, changes from a "mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorised by your enterprise. You designate these trusted apps by creating code integrity policies."

Underpinning its defences, Device Guard uses Intel Virtualization Technology (Intel VT) to, says Intel, isolate critical validation in containers that are nearly invisible and less accessible to malware. "At the vulnerable moment of boot, before any security software is even able to turn on, Intel BIOS Guard and Intel Boot Guard also help Unified Extensible Firmware Interface (UEFI) for Secure Boot help ensure the coast is clear before handing control over to the operating system."

TPM: It can be useful!

One example of a much-maligned and misunderstood item is that of the TPM (trusted platform module) built into modern devices.

Many sysadmins either misunderstand or ignore the ease of use that TPM can bring to environments of all sizes. But TPM really is the backbone of secure computing.

Some functionality requires TPM. There are also multiple ways to use it but it really does depend on your environment. In practice, the main aim of TPM is to make computing simple while also being secure.

Windows 10 takes these solid security practices and makes them easier (albeit occasionally taking away the rights from the user, a la Windows update). Unpatched machines are not what anyone wants. All future security in the hardware realm will be reflected in Windows 10.

On the other hand, there are some features that, when pushed, users love. Windows Hello and Bitlocker are a couple examples of software that uses some of the advanced hardware built into PCs and utilising TPM.

Forgot your password? Forget about it

Windows Hello is a key facet of security hardware that makes life easier for bonafide users and more difficult for hackers and malware. A lot of people poo-poo the idea of using a PIN to log into their computer (it can't be secure, can it?) but there is more to it than the simple PIN used for bank cards, etc.

When using a PIN with Windows 10 it is a rudimentary form of two-factor authentication. The PIN is unique to the device it is paired with. This is an example of two-factor authentication at work, something you have and something you know.

The PIN never leaves the device. What makes this more interesting still is that it requires no additional hardware. This simplifies the user experience and keeps the costs low as there is no need to support hardware tokens that are lost, broken or misconfigured.

Intel has even released a new plugin for Edge to allow users to use their Windows Hello PIN to sites that support it. Replacing passwords is no bad thing. Leaky passwords lead to additional compromise.

The same functionality is available to business users but what makes it more powerful is that the PIN can unlock PKI infrastructure and ensure secure cryptographic communications between the user and the AD infrastructure and other providers that are set up to use PKI.

Leverage the power of the silicon

Underlying this simpler, more secure hardware platform is the cryptography built into modern CPUs, which have AES, the currently accepted gold standard, built into them. (There is serious degradation in performance when software has to perform these tasks: silicon wins every time in terms of speed.)

This means that users or administrators can deploy Bitlocker in just a few clicks. Although some may think "whatever", consider the bigger picture. Device theft is a serious issue for business. Having full disk encryption saves the company from having a full-scale security breach on their hands as the attacker would need to know the credentials in order to access the data.

With Windows 10 Enterprise, Microsoft has introduced Windows Defender Credential Guard to combat misused, default or stolen credentials. The software leans on hardware platform security for several features, managing use of Intel VT to isolate credential keys in containers where hackers have less visibility.

Microsoft explains the identity protection technology thus:

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

There is no reason to not use full disk encryption. What makes Windows 10 even more secure is that there is no need to have multiple passwords. That one pin can be used to authenticate the user for almost all local requirements.

Talking about bits and registers

Alongside this user authentication, some of the functionality of newer CPUs can be be deployed only using newer versions of Windows. Some protections did work in the world of 32-bit, but 64-bit is where it's at. These protections mitigate common malware practices to prevent execution of code that the processor wasn't meant to run.

These include NX bit (No eXecute), a processor technology that goes hand in hand with DEP (Data Execution Prevention) functionality found in modern versions of Windows. In essence, NX bit allows the CPU to differentiate between application-executable data and normal application data. The CPU can then be prevented from running some executable data in the application data space. This was one of the big ways in which malware got in.

ASLR (Address Space Layout Randomisation) was available in earlier versions of Windows, but Microsoft have gone to town on this feature with Windows 10. ASLR originally existed to randomise the locations used by software and make them difficult to locate – if an application knew ahead of time where it would be located it could overwrite that code with its own instructions and give the attack vector an elevated privilege. ASLR does work on 32-bit systems but nowhere near as effectively as on 64 bit systems. Let me put it simply: anyone running a 32-bit version of Windows is not playing with a full deck.

So you are under attack. Here, Intel touts the benefits of AMT (active management technology) and recommends that organisations install Intel Manageability Commander into their Microsoft System Center Configuration Manager (SCCM) consoles. Subject to certain connectivity limitations, this team-tag enables IT operations managers to remotely take a compromised device off the network so a virus doesn't spread. If the operating system is down or the device is without power, the Intel MC-SCCM combo delivers out-of-band flexibility that means you can be prepared for recovery. Processor-based devices can be reimaged and remotely brought back to a good state. Intel also touts the additional data protection benefits of devices incorporating its solid-state drives such as the Intel SSD Pro 6000p. With Intel MT activated you can remotely delete encryption keys using Intel Remote Secure Erase.

Conclusion

In summary, prevention is better than a cure. The Windows 10 7th Gen Intel Core vPro combination provides several advances in security that, when implemented correctly, can help prevent malware attempts. All these new functions are no substitute for properly managing endpoints and using common sense and user education.

Similar topics

Broader topics


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block Microsoft ad trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains. Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    "I tested the DuckDuckGo so-called private browser for both iOS and Android, yet neither version blocked data transfers to Microsoft's Linkedin + Bing ads while viewing Facebook's workplace[.]com homepage," Edwards explained in a Twitter thread.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022