GSE/Belux Enterprise Systems Security Meeting

Transcription

1 MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 1

2 In the news Microsoft Exposes Scope of Botnet Threat By Tony Bradley, October 15, 2010 Microsoft's latest Security Intelligence Report focuses on the expanding threat posed by bots and botnets. Researchers Discover Link Between TDSS Rootkit and DNSchanger Trojan By NICK BILTON, May 2, 2011 TDSS rootkit, the hard-to-remove malware behind numerous sophisticated attacks, appears to have helped spread the DNSchanger Trojan. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 2

3 Changing landscape Users: BYOD Work/Life overlap Hackers: Polymorphic attacks Targeted multi-level attacks Evolution of security in Operating systems Metasploit effort vs. vulnerability for digging out exploit MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 3

4 Windows 8 Security Investments Protect and Manage Threats Groundbreaking Malware Resistance Help protect the client, data, and corporate resources by making the client inherently more secure and less vulnerable from the effects from malware. Protect Sensitive Data Pervasive Device Encryption Simplifies provisioning and compliance management the of encrypted drives on the widest variety of PC form factors and storage technologies Protect Access to Resources Modern Access Control Modernizes access control and data management while increasing data security within the enterprise. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 4

5 Security and Hardware Why UEFI? What is UEFI? UEFI = Unfied Extensible Firmware Interface An interface built on top of and replaces some aspects of traditional BIOS Like BIOS it hands control of the pre-boot environment to an OS Key Benefits architecture-independent enables device initialization and operation (mouse, pre-os apps, menus) Key Security Benefits: Secure Boot Encrypted Drive support Network unlock support for BitLocker A Windows Certification Requirement for Windows 8 PC s MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 5

6 Trusted Platform Module Update TPM Value Proposition Enables commercial-grade security via physical and virtual key isolation from OS mature standard, years of deployment and hardening TCG Standard evolution: TPM 2.0 Algorithm extensibility enables use worldwide Improvements in TPM provisioning lowers deployment barriers Security scenarios are compatible with TPM 1.2 or 2.0 Windows 8: TPM 2.0 support enables implementation choice Discrete TPM Firmware-based (ARM TrustZone ; Intel s Platform Trust Technology (PTT)) Windows Certification Requirement for Connect Standby PC s Malware Resistance MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 6

7 Trusted and Measured Boot Trusted Boot End to end boot process protection: Windows operating system loader Windows system files and drivers Anti-malware software Ensures and prevents: a compromised operating system from starting software from starting before Windows 3 rd party software from starting before Anti-malware Automatic remediation/self healing if compromised Measured Boot Creates comprehensive set of measurements based on Trusted Boot execution Can offer measurements to a Remote Attestation Service for analysis Legacy vs. Modern Boot Legacy Boot BIOS OS Loader (Malware) OS Start BIOS Starts any OS Loader, even malware Malware may starts before Windows Modern Boot UEFI Trusted Loader Only OS Start The firmware enforces policy, only starts signed OS loaders OS loader enforces signature verification of Windows components. If fails Trusted Boot triggers remediation. Result - Malware unable to change boot and OS components MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 7

8 UEFI Secure Boot Keys Platform Key (PK) One only Allows modification of KEK database Key Exchange Key (KEK) Can be multiple Allows modification of db and dbx Authorized Database (db) CA, Key, or image hash to allow Forbidden Database (dbx) CA, Key, or image hash to block Trusted Boot: Early Load Anti-Malware Windows 7 BIOS OS Loader (Malware) 3 rd Party Drivers (Malware) Anti-Malware Software Start Windows Logon Malware is able to boot before Windows and Anti-malware Malware able to hide and remain undetected Systems can be compromised before AM starts Windows 8 Native UEFI Windows 8 OS Loader Anti-Malware Software Start 3 rd Party Drivers Windows Logon Trusted Boot loads Anti-Malware early in the boot process Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft Windows starts AM software before any 3rd party boot drivers Malware can no longer bypass AM inspection MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 8

9 Pervasive Encryption BitLocker and BitLocker to Go BitLocker Helps prevent unauthorized access to data on lost or stolen PCs Supports full volume encryption of OS and Data volumes Offers variety of pre-boot authentication options: TPM-only, PIN/Password, Network Unlock, USB storage Supports PCs, Servers, and Slate form factors BitLocker to Go Used to help protect data on removable drives Able to deny or grant write access to volumes by organization Enables read-only access on Windows Vista & Windows XP MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 9

10 Improved Provisioning BitLocker support for Trusted Platform Module (TPM) Support for TPMv1.2 and v2.0 Support for discrete and firmware based TPM Windows setup will provision a firmware based TPM to machines with supported secured execution environments (e.g.: ARM TrustZone ; Intel s Platform Trust Technology (PTT)) Flexible encryption options improve the provisioning process Encrypt used disk space only or the entire disk Pre-provision new PC s with BitLocker before proceeding to Windows installation Support on Slates Connected Standby systems eliminate the need for pre-boot authentication! Pre-boot auth provides limited value since the devices rarely power off/boot Ports that open door for DMA attacks not allowed Brute force attacks on Windows logon trigger recovery BitLocker recovery mode triggers Windows RE Supports onscreen keyboard Refreshes TPM measurements No PIN/Password support MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 10

11 New Protector Options Password Protector (OS, Data, Removable Volumes) Added password option for OS Volume. Useful for PC s without TPM s Used to protect Windows to Go devices Network Protector (OS Volumes) Enables PC s connected to corporate network to boot without PIN Simplifies patch process for servers and desktops, wake on LAN, ease of use for end users Active Directory Account or Group Protector (Data, Removable Volumes) Enables a data volume to be unlocked when a user or machine account accesses the volume Network Unlock for OS Volumes Scenario Enables PC s connected to corporate network to boot without PIN Simplifies patch process for servers and desktops, wake on LAN, ease of use for end users Requirements UEFI support for DHCPv4 and DHCPv6 Secure Network Network Key Server Key Request Client Key EFI DHCP PROTOCOL TPM MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 11

12 Latest in Technology Storage Support Windows 7 BitLocker performance implications and storage support Overhead during encryption, run-time, startup, etc Performance implications exacerbated on low-power PCs and Slates Self encrypting drives not supported on Windows 7 Windows 8 improves performance and supports Encrypted Drives Encrypted Drives offload processing to hardware Specialized hardware reduces power use and increases battery life Initial encryption time of volumes eliminated. Run time improved BitLocker manages keys (e.g: AD and MBAM) Systems without Hardware Encrypted Drives use software based encryption Modern Access Control Virtual Smartcards MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 12

13 Challenges with Multifactor Authentication Pain Point Multifactor authentication is difficult to take advantage of due to provisioning challenges, costs, and support Solution Windows Smart Card Framework extended to support TPM Enables devices that users already have to be used as a VSC Cost effective vs. physical Smartcards Easy to use and deploy Security TPM protects virtual smart cards: non-exportability, anti-hammering, isolated crypto TPM Based Authentication Enterprise Need Machine and User ID using hardware protected certificates without requiring separate devices Key Scenarios User Authentication for remote access Document/ signing Strong machine network authentication Consumer Need Banks must know their customer, using commercially-available determination methods to meet FFIEC multiauthentication requirement Key scenarios User certificate bound to the TPM Stronger User Authentication without the need for complex passwords or external second factor MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 13

14 Next level Different views of Information Governance CSO/CIO department I need to have the right compliance controls to keep me out of jail Infrastructure Support I don t know what data is in my repositories and how to control it Content Owner Is my important data appropriately protected and compliant with regulations how do I audit this IW I don t know if I am complying with my organization s polices MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 14

15 Dynamic Access Control on File Servers Identify data Control access Audit access Protect data Manual tagging by content owners Expression based access conditions with support for user claims, device claims and file tags Central audit policies that can be applied across multiple file servers Automatic RMS protection for Office documents based on file tags Automatic classification (tagging) Central access policies targeted based on file tags Expression based auditing conditions with support for user claims, device claims and file tags Near real time protection soon after the file is tagged Application based tagging Access denied remediation Policy staging audits to simulate policy changes in a real environment Extensibility for non Office RMS protectors Breakthrough Security with Windows 8 Securing the Client Fundamentally resistant and resilient against attacks Always Better protected with an in-box anti-malware solution Helps protect users and data from internet based threats Securing the Connections Securely Connect more securely to corporate resources from virtually anywhere Use new and easy to deploy strong multi-factor authentication Helps ensure connections and access are only granted to healthy and secure devices Secure the Resources Pervasive encryption on all devices Fast provisioning of encrypted devices Access control automatically adapts to a changing environment Resources automatically encrypted MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 15

16 MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 16

17 MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 17