Windows 10 : Security

 

Windows 10 : Security

 Windows 10 arrived this week, touting improvements and new features for businesses. Security experts were cautiously optimistic about the new security enhancements, including improved access controls, data loss prevention features, and app whitelisting capabilities.

 "Some will have real value once the bugs are worked out, patched, and the industry provides Microsoft feedback," said Brad Passman, director of information technology at Novetta.

 Security experts welcomed overhauling Internet Explorer entirely and introducing Microsoft Edge, noting that attackers have increasingly been targeting the Web browser. Other new business-worthy features were Device Guard and Enterprise Data Protection.

Device Guard flips traditional antivirus on its head and introduces whitelisting to the operating system. Programs aren't allowed to run unless they are specifically determined to be safe, by checking the file's cryptographic signature. 

Device Guard relies on Microsoft's Hyper-V virtualization technology to store its whitelists in a shielded virtual machine. Even the system administrator can't access or tamper with these VMs. However, this is currently available only on Windows 10 Enterprise, and for systems capable of hardware CPU virtualization and I/O virtualization. Device Guard also relies on the on-board TPM chip and UEFI Secure Boot.


BitLocker has made it easier for businesses to turn on full-disk encryption, but until now, most businesses had to rely on third-party products to protect individual files.

Enterprise Data Protection in Windows 10 provides persistent file-level encryption and basic rights management to corporate files. EDP fully integrates with Azure Active Directory and Rights Management services, making it easier to control who has access to the file. EDP also provides the tools necessary to keep personal and business data separate in bring-your-own-device environments, Passman said.

An architectural change, Trusted Boot targets rootkit attacks, where malicious code attempts to tamper with Windows as it boots, before the antivirus and other system defenses kick in. Microsoft introduced features to protect the Windows kernel and privileged drivers in previous versions, but Trusted Boot enhances those measures to prevent system tampering.

Changes to the Network Required
Most of Windows 10's promising new features will require a heavy investment in the rest of Microsoft's ecosystem, Passman warned. Along with the expected learning curve, systems administrators will need to make some changes in their networks to support the new features. This may be a challenge for organizations that have adopted cloud infrastructures in Amazon Web Services and Google, he said.  

Businesses need to make sure they are running security software that supports Windows 10. Microsoft made major changes in its architecture, which affected how antivirus products would work in the new operating system.

 Even though several major antivirus companies have already announced their products have been updated, it's something businesses need to verify before starting the upgrade path. While Windows Defender would automatically enable protection if the operating system detects the third-party security software is not installed or is out of date, businesses should not rely exclusively on Windows Defender, Passman warned.

Many drivers and utilities may not yet have Windows 10 drivers, so businesses may find their systems crippled after upgrading. During the preview period, many testers reported problems with some Intel chipsets and Nvidia graphics drivers. In the case of some Lenovo ThinkPads, some of the utilities are disabled or just won't work with Windows 10 at this time, said Andy Hayter, a security evangelist at G DATA.

Biometrics Are Coming
Microsoft has supported third-party biometric logins for a long time, and a driver framework to make it easier for software to incorporate biometric hardware since Windows 7. Windows 10 integrates and extends biometric logins and two-factor authentication with Windows Hello. The biometrics data is stored in the on-board TPM chip, making it harder for attackers to steal the credentials.

This would be easy to turn on with new systems shipping with the required hardware, but for businesses upgrading existing systems, getting biometrics hardware such as fingerprint scanners, depth-sensing 3D cameras for facial-recognition, or a retina scanner, would be a challenge.

While fingerprint scanners are on the market, Intel is one of the few makers with the type of 3D camera needed, and retina scanners are not widely available as of yet. While Windows Hello is available in every version of Windows, this wouldn't be of use to most businesses until the special hardware comes to market.

Microsoft has promised manufacturers are working on a slew of Windows 10-ready authentication hardware, but this is still a small segment.

"Like any major OS release, it's best to wait and evaluate before leaning too far forward to ensure business isn't interrupted," Passman said.

But No Sense in Wi-Fi Sense
 
Wi-Fi Sense lets Windows 10 users share Wi-Fi passwords with up to three categories of social media connections. This is group-based sharing, and there is no way to select specific individuals who get the passwords.

The connections can then share the information with others. Many social engineering and penetration test attempts try to get an individual to walk into the office and piggy back onto the network.

This feature actually makes it easier to fully compromise the network, as it lets unauthorized guests onto the network, gives them access to data, and gives visibility into network traffic, security experts said.

This "huge security hole" will be a bigger problem for personal users and small and mid-sized businesses, rather than large enterprises, which will likely disable Wi-Fi Sense by default, said Slawek Ligier, vice president of engineering content security at Barracuda Networks.

 Smaller businesses are typically more likely to use consumer-grade wireless access points and typically exercise less control over end-user equipment, Ligier said. If a compromised machine joins the network with a shared credential, its activities—such as distributing spam or malware—can get the business IP address blacklisted via IP Camera.


"SMBs are less likely to detect possible abuse of their network until their IP range becomes blacklisted. Once that happens, it can be very difficult and time consuming to get off, resulting in significant loss of business," Ligier said.

It's actually pretty easy to turn off Wi-Fi Sense, as the checkboxes are under Manage Wireless Settings, so businesses would be best served to just disable it outright, Hayter recommended. Businesses can also configure routers to only accept connections from trusted devices via MAC addresses, which would mitigate the risk posed by Wi-Fi Sense.
"There is a lot to like with Windows 10 from the security perspective. BUT…you must move cautiously into this world," Hayter said.


Cr.PC Mag,bangkok21st ,Synergy | Facebook