GSE/Belux Enterprise Systems Security Meeting

Similar documents
Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Deploying Secure Boot: Key Creation and Management

12/5/2013. work-life blur. more mobile. digital generation. multiple devices. tech. fast savvy

Windows in the enterprise

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

Security Enhancements

BitLocker Group Policy Settings

Windows 10 Pro device opportunity

CIS 4360 Secure Computer Systems Secured System Boot

Windows IoT Security. Jackie Chang Sr. Program Manager

TPM v.s. Embedded Board. James Y

Make security part of your client systems refresh

PCI DSS Compliance. White Paper Parallels Remote Application Server

Windows 8: Enabling Flexible Workstyles

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Information protection BitLocker Overview of BitLocker Device Encryption in Windows 10 BitLocker frequently asked questions (FAQ) Prepare your

Trusted Computing Today: Benefits and Solutions

ARM Security Solutions and Numonyx Authenticated Flash

BitLocker Encryption for non-tpm laptops

Trusted Computing Group

benefits for customers with subscriptions in CSP

MU2b Authentication, Authorization and Accounting Questions Set 2

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

WINDOWS 10 ENTERPRISE New Security Features

Putting Trust Into The Network Securing Your Network Through Trusted Access Control

Software Vulnerability Assessment & Secure Storage

Windows 8 BIOS Boot settings

BIOS Update Release Notes

Windows Server Network Access Protection. Richard Chiu

CS 356 Operating System Security. Fall 2013

Disk Encryption Buyers Guide

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

Windows 10 Security & Audit

Mobile Data Security Essentials for Your Changing, Growing Workforce

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Windows ierīces Enterprise infrastruktūrā. Aris Dzērvāns Microsoft

Using SimplySecure to Deploy, Enforce & Manage BitLocker

Technical Brief Distributed Trusted Computing

Identity & Access Management

PCI Compliance Updates

Advanced Security Measures for Clients and Servers

Roving Reporter: Ringing Up POS System Sales with Intel vpro Technology

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Agenda: Insurance Academy Event

Endpoint Protection with DigitalPersona Pro

Pulseway Security White Paper

Windows 8 Deployment Best Practices and Lessons Learned. Martin Weber Technology Solution Professional Microsoft Switzerland GmbH

BIOS Update Release Notes

Trusted Computing and O/S Security

Windows 10 and the Enterprise. Craig A. Brown Prepared for: GMIS

Key Features. DATA SHEET

Trusted Computing As a Solution!

Cisco Network Admission Control (NAC) Solution

Intel Active Management Technology Overview

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

A (sample) computerized system for publishing the daily currency exchange rates

Operating system hardening

MODERN DESKTOP SECURITY

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Consultant since many years. Mainly working with defense and public sector. MCSE on Windows Server 2000 security ;-)

Microsoft UEFI Certification Authority

Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Improve productivity with modernized PCs and Windows 10. Christopher Choong, DTM Field Marketing Manager

Trusted Computing Use Cases and the TCG Software Stack (TSS 2.0) Lee Wilson TSS WG Chairman OnBoard Security November 20, 2017

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

The threat landscape is constantly

Cybersecurity with Automated Certificate and Password Management for Surveillance

Who s Protecting Your Keys? August 2018

Big and Bright - Security

Implementing Secure Boot: A Refresher on Key & Database Configuration

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Pass Microsoft Exam

Security Requirements for Crypto Devices

Sophos Central Device Encryption. Administrator Guide

BIOS Setup. User s Guide. (For Skylake-W Platform) Rev.1.1

HP Sure Start Gen3. Table of contents. Available on HP Elite products equipped with 7th generation Intel Core TM processors September 2017

ZENworks 2017 Full Disk Encryption Pre-Boot Authentication Reference. December 2016

HP Manageability Integration Kit HP Client Management Solutions

Creating the Complete Trusted Computing Ecosystem:

BIOS Update Release Notes

How Next Generation Trusted Identities Can Help Transform Your Business

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Managing Microsoft 365 Identity and Access

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

Certification Authority

McAfee Embedded Control

Bromium: Virtualization-Based Security

Sigurnost u Windows 7. Saša Kranjac MCT

OS Security IV: Virtualization and Trusted Computing

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Changing face of endpoint security

SafeNet Authentication Client

How I Learned to Stop Worrying and Love the Internet of Things

CompTIA A+ Certification ( ) Study Guide Table of Contents

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Intel, OpenStack, & Trust in the Open Cloud. Intel Introduction

Transcription:

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 1

In the news Microsoft Exposes Scope of Botnet Threat By Tony Bradley, October 15, 2010 Microsoft's latest Security Intelligence Report focuses on the expanding threat posed by bots and botnets. Researchers Discover Link Between TDSS Rootkit and DNSchanger Trojan By NICK BILTON, May 2, 2011 TDSS rootkit, the hard-to-remove malware behind numerous sophisticated attacks, appears to have helped spread the DNSchanger Trojan. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 2

Changing landscape Users: BYOD Work/Life overlap Hackers: Polymorphic attacks Targeted multi-level attacks Evolution of security in Operating systems Metasploit effort vs. vulnerability for digging out exploit MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 3

Windows 8 Security Investments Protect and Manage Threats Groundbreaking Malware Resistance Help protect the client, data, and corporate resources by making the client inherently more secure and less vulnerable from the effects from malware. Protect Sensitive Data Pervasive Device Encryption Simplifies provisioning and compliance management the of encrypted drives on the widest variety of PC form factors and storage technologies Protect Access to Resources Modern Access Control Modernizes access control and data management while increasing data security within the enterprise. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 4

Security and Hardware Why UEFI? What is UEFI? UEFI = Unfied Extensible Firmware Interface An interface built on top of and replaces some aspects of traditional BIOS Like BIOS it hands control of the pre-boot environment to an OS Key Benefits architecture-independent enables device initialization and operation (mouse, pre-os apps, menus) Key Security Benefits: Secure Boot Encrypted Drive support Network unlock support for BitLocker A Windows Certification Requirement for Windows 8 PC s MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 5

Trusted Platform Module Update TPM Value Proposition Enables commercial-grade security via physical and virtual key isolation from OS mature standard, years of deployment and hardening TCG Standard evolution: TPM 2.0 Algorithm extensibility enables use worldwide Improvements in TPM provisioning lowers deployment barriers Security scenarios are compatible with TPM 1.2 or 2.0 Windows 8: TPM 2.0 support enables implementation choice Discrete TPM Firmware-based (ARM TrustZone ; Intel s Platform Trust Technology (PTT)) Windows Certification Requirement for Connect Standby PC s Malware Resistance MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 6

Trusted and Measured Boot Trusted Boot End to end boot process protection: Windows operating system loader Windows system files and drivers Anti-malware software Ensures and prevents: a compromised operating system from starting software from starting before Windows 3 rd party software from starting before Anti-malware Automatic remediation/self healing if compromised Measured Boot Creates comprehensive set of measurements based on Trusted Boot execution Can offer measurements to a Remote Attestation Service for analysis Legacy vs. Modern Boot Legacy Boot BIOS OS Loader (Malware) OS Start BIOS Starts any OS Loader, even malware Malware may starts before Windows Modern Boot UEFI Trusted Loader Only OS Start The firmware enforces policy, only starts signed OS loaders OS loader enforces signature verification of Windows components. If fails Trusted Boot triggers remediation. Result - Malware unable to change boot and OS components MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 7

UEFI Secure Boot Keys Platform Key (PK) One only Allows modification of KEK database Key Exchange Key (KEK) Can be multiple Allows modification of db and dbx Authorized Database (db) CA, Key, or image hash to allow Forbidden Database (dbx) CA, Key, or image hash to block Trusted Boot: Early Load Anti-Malware Windows 7 BIOS OS Loader (Malware) 3 rd Party Drivers (Malware) Anti-Malware Software Start Windows Logon Malware is able to boot before Windows and Anti-malware Malware able to hide and remain undetected Systems can be compromised before AM starts Windows 8 Native UEFI Windows 8 OS Loader Anti-Malware Software Start 3 rd Party Drivers Windows Logon Trusted Boot loads Anti-Malware early in the boot process Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft Windows starts AM software before any 3rd party boot drivers Malware can no longer bypass AM inspection MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 8

Pervasive Encryption BitLocker and BitLocker to Go BitLocker Helps prevent unauthorized access to data on lost or stolen PCs Supports full volume encryption of OS and Data volumes Offers variety of pre-boot authentication options: TPM-only, PIN/Password, Network Unlock, USB storage Supports PCs, Servers, and Slate form factors BitLocker to Go Used to help protect data on removable drives Able to deny or grant write access to volumes by organization Enables read-only access on Windows Vista & Windows XP MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 9

Improved Provisioning BitLocker support for Trusted Platform Module (TPM) Support for TPMv1.2 and v2.0 Support for discrete and firmware based TPM Windows setup will provision a firmware based TPM to machines with supported secured execution environments (e.g.: ARM TrustZone ; Intel s Platform Trust Technology (PTT)) Flexible encryption options improve the provisioning process Encrypt used disk space only or the entire disk Pre-provision new PC s with BitLocker before proceeding to Windows installation Support on Slates Connected Standby systems eliminate the need for pre-boot authentication! Pre-boot auth provides limited value since the devices rarely power off/boot Ports that open door for DMA attacks not allowed Brute force attacks on Windows logon trigger recovery BitLocker recovery mode triggers Windows RE Supports onscreen keyboard Refreshes TPM measurements No PIN/Password support MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 10

New Protector Options Password Protector (OS, Data, Removable Volumes) Added password option for OS Volume. Useful for PC s without TPM s Used to protect Windows to Go devices Network Protector (OS Volumes) Enables PC s connected to corporate network to boot without PIN Simplifies patch process for servers and desktops, wake on LAN, ease of use for end users Active Directory Account or Group Protector (Data, Removable Volumes) Enables a data volume to be unlocked when a user or machine account accesses the volume Network Unlock for OS Volumes Scenario Enables PC s connected to corporate network to boot without PIN Simplifies patch process for servers and desktops, wake on LAN, ease of use for end users Requirements UEFI 2.3.1 support for DHCPv4 and DHCPv6 Secure Network Network Key Server Key Request Client Key EFI DHCP PROTOCOL TPM MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 11

Latest in Technology Storage Support Windows 7 BitLocker performance implications and storage support Overhead during encryption, run-time, startup, etc Performance implications exacerbated on low-power PCs and Slates Self encrypting drives not supported on Windows 7 Windows 8 improves performance and supports Encrypted Drives Encrypted Drives offload processing to hardware Specialized hardware reduces power use and increases battery life Initial encryption time of volumes eliminated. Run time improved BitLocker manages keys (e.g: AD and MBAM) Systems without Hardware Encrypted Drives use software based encryption Modern Access Control Virtual Smartcards MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 12

Challenges with Multifactor Authentication Pain Point Multifactor authentication is difficult to take advantage of due to provisioning challenges, costs, and support Solution Windows Smart Card Framework extended to support TPM Enables devices that users already have to be used as a VSC Cost effective vs. physical Smartcards Easy to use and deploy Security TPM protects virtual smart cards: non-exportability, anti-hammering, isolated crypto TPM Based Authentication Enterprise Need Machine and User ID using hardware protected certificates without requiring separate devices Key Scenarios User Authentication for remote access Document/email signing Strong machine network authentication Consumer Need Banks must know their customer, using commercially-available determination methods to meet FFIEC multiauthentication requirement Key scenarios User certificate bound to the TPM Stronger User Authentication without the need for complex passwords or external second factor MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 13

Next level Different views of Information Governance CSO/CIO department I need to have the right compliance controls to keep me out of jail Infrastructure Support I don t know what data is in my repositories and how to control it Content Owner Is my important data appropriately protected and compliant with regulations how do I audit this IW I don t know if I am complying with my organization s polices MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 14

Dynamic Access Control on File Servers Identify data Control access Audit access Protect data Manual tagging by content owners Expression based access conditions with support for user claims, device claims and file tags Central audit policies that can be applied across multiple file servers Automatic RMS protection for Office documents based on file tags Automatic classification (tagging) Central access policies targeted based on file tags Expression based auditing conditions with support for user claims, device claims and file tags Near real time protection soon after the file is tagged Application based tagging Access denied remediation Policy staging audits to simulate policy changes in a real environment Extensibility for non Office RMS protectors Breakthrough Security with Windows 8 Securing the Client Fundamentally resistant and resilient against attacks Always Better protected with an in-box anti-malware solution Helps protect users and data from internet based threats Securing the Connections Securely Connect more securely to corporate resources from virtually anywhere Use new and easy to deploy strong multi-factor authentication Helps ensure connections and access are only granted to healthy and secure devices Secure the Resources Pervasive encryption on all devices Fast provisioning of encrypted devices Access control automatically adapts to a changing environment Resources automatically encrypted MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 15

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 16

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback