 |
| Windows 10 : Security |
Windows 10 arrived this week, touting improvements and new features for businesses.
Security experts were cautiously optimistic about the new security
enhancements, including improved access controls, data loss prevention
features, and app whitelisting capabilities.
"Some will have real value once the bugs are worked out, patched,
and the industry provides Microsoft feedback," said Brad Passman,
director of information technology at Novetta.
Security experts welcomed overhauling Internet Explorer entirely and introducing Microsoft Edge,
noting that attackers have increasingly been targeting the Web browser.
Other new business-worthy features were Device Guard and Enterprise
Data Protection.
Device Guard flips traditional antivirus
on its head and introduces whitelisting to the operating system.
Programs aren't allowed to run unless they are specifically determined
to be safe, by checking the file's cryptographic signature.
Device Guard
relies on Microsoft's Hyper-V virtualization technology to store its
whitelists in a shielded virtual machine. Even the system administrator
can't access or tamper with these VMs. However, this is currently
available only on Windows 10 Enterprise, and for systems capable of
hardware CPU virtualization and I/O virtualization. Device Guard also
relies on the on-board TPM chip and UEFI Secure Boot.
BitLocker has made it easier for businesses to turn on
full-disk encryption, but until now, most businesses had to rely on
third-party products to protect individual files.
Enterprise Data
Protection in Windows 10
provides persistent file-level encryption and basic rights management
to corporate files. EDP fully integrates with Azure Active Directory and
Rights Management services, making it easier to control who has access
to the file. EDP also provides the tools necessary to keep personal and
business data separate in bring-your-own-device environments, Passman
said.
An architectural change, Trusted Boot targets rootkit attacks,
where malicious code attempts to tamper with Windows as it boots, before
the antivirus and other system defenses kick in. Microsoft introduced
features to protect the Windows kernel and privileged drivers in
previous versions, but Trusted Boot enhances those measures to prevent
system tampering.
Changes to the Network Required
Most of Windows 10's promising new features will require a heavy
investment in the rest of Microsoft's ecosystem, Passman warned. Along
with the expected learning curve, systems administrators will need to
make some changes in their networks to support the new features. This
may be a challenge for organizations that have adopted cloud
infrastructures in Amazon Web Services and Google, he said.
Businesses need to make sure they are running security software that
supports Windows 10. Microsoft made major changes in its architecture,
which affected how antivirus products would work in the new operating
system.
Even though several major antivirus companies have already
announced their products have been updated, it's something businesses
need to verify before starting the upgrade path. While Windows Defender
would automatically enable protection if the operating system detects
the third-party security software is not installed or is out of date,
businesses should not rely exclusively on Windows Defender, Passman
warned.
Many drivers and utilities may not yet have Windows 10 drivers, so
businesses may find their systems crippled after upgrading. During the
preview period, many testers reported problems with some Intel chipsets
and Nvidia graphics drivers. In the case of some Lenovo ThinkPads, some
of the utilities are disabled or just won't work with Windows 10 at this
time, said Andy Hayter, a security evangelist at G DATA.
Biometrics Are Coming
Microsoft has supported third-party biometric logins for a long time,
and a driver framework to make it easier for software to incorporate
biometric hardware since Windows 7. Windows 10 integrates and extends
biometric logins and two-factor authentication with Windows Hello. The
biometrics data is stored in the on-board TPM chip, making it harder for
attackers to steal the credentials.
This would be easy to turn on with new systems shipping with the
required hardware, but for businesses upgrading existing systems,
getting biometrics hardware such as fingerprint scanners, depth-sensing
3D cameras for facial-recognition, or a retina scanner, would be a
challenge.
While fingerprint scanners are on the market, Intel is one of
the few makers with the type of 3D camera needed, and retina scanners
are not widely available as of yet. While Windows Hello is available in
every version of Windows, this wouldn't be of use to most businesses
until the special hardware comes to market.
Microsoft has promised
manufacturers are working on a slew of Windows 10-ready authentication
hardware, but this is still a small segment.
"Like any major OS release, it's best to wait and evaluate before
leaning too far forward to ensure business isn't interrupted," Passman
said.
But No Sense in Wi-Fi Sense
Wi-Fi Sense lets Windows 10 users share Wi-Fi passwords with up to three
categories of social media connections. This is group-based sharing,
and there is no way to select specific individuals who get the
passwords.
The connections can then share the information with others.
Many social engineering and penetration test attempts try to get an
individual to walk into the office and piggy back onto the network.
This
feature actually makes it easier to fully compromise the network, as it
lets unauthorized guests onto the network, gives them access to data,
and gives visibility into network traffic, security experts said.
This "huge security hole" will be a bigger problem for personal users
and small and mid-sized businesses, rather than large enterprises,
which will likely disable Wi-Fi Sense by default, said Slawek Ligier,
vice president of engineering content security at Barracuda Networks.
Smaller businesses are typically more likely to use consumer-grade
wireless access points and typically exercise less control over end-user
equipment, Ligier said. If a compromised machine joins the network with
a shared credential, its activities—such as distributing spam or
malware—can get the business IP address blacklisted via
IP Camera.
"SMBs are less likely to detect possible abuse of their network
until their IP range becomes blacklisted. Once that happens, it can be
very difficult and time consuming to get off, resulting in significant
loss of business," Ligier said.
It's actually
pretty easy to turn off Wi-Fi Sense,
as the checkboxes are under Manage Wireless Settings, so businesses
would be best served to just disable it outright, Hayter recommended.
Businesses can also configure routers to only accept connections from
trusted devices via MAC addresses, which would mitigate the risk posed
by Wi-Fi Sense.
"There is a lot to like with Windows 10 from the security
perspective. BUT…you must move cautiously into this world," Hayter said.
Cr.
PC Mag,
bangkok21st
,
Synergy | Facebook
