July 27, 2015

Windows 10 Security - Part 2

In my previous blog entry on the introduction to security, I talked about the elimination once and for all of the password. That may have put it a bit too optimistically for businesses - but consumers are already used to multi-factor authentication. Those that use Picture Password or simple pin from Windows 8 (consumer and business) get this concept too. Today, it's time to dive into the weeds - so much so that I'll likely take this into a third part. I must give credit where due for help with this large set of content here because it reflects their thinking as well as mine. Some of this blog comes straight from the horse's mouth, but I've personally gone through each point and validated it to be accurate and of sound commentary! Let's dive in.

We're primarily familiar with certain concepts in the security space:

  1. Cybercrime
  2. Attacks on Big Companies or the Government
  3. Malware

Each of these are fairly obvious - avoid being a big guy or a big target, and you're likely fine. Keep your users from installing apps, and you're likely fine. Keep the bad guy off your network, and you're likely fine. These concepts worked well when Windows 7 came into existence. Now, well, we have changed up these notions a bit and have a bit more to worry about:

  1. Cyberwar, Cyber Terrorism, Cyber Espionage
  2. Everyone is a target
  3. Advanced Persistent Threats are real and there is massive wide spread stealing of credentials

Before 2009, these new notions weren't really ever thought of if you weren't in the Fortune 500 or not the government. The tools and methodologies of "protect the network and protect the servers" worked. Companies the world over would spend tons of money on network detection but even us die hard security types knew that the time between detection and action could be days. In the case of some of these companies that ARE in the Fortune 500, it was months or years before they were even aware they were breached. This leads me to conclude the following:

It isn't important to increase spending on detection of network breaches.
Why might you ask? Because you have already been breached. Your reaction to this information is merely a function of whether you know it or not, whether you have the capability to detect it at all or not and whether the bad guy has chosen to do something with their access or not. How can I possibly say this? Companies with virtually unlimited IT security budgets have been cracked wide open and this is what we see today:

  1. Target - usernames and passwords leaking led to this hack (weak identity controls)
  2. Lockheed Martin - specifications to the F35 Joint Strike Fighter were exposed (massive loss of intellectual property and a decent risk to national security)
  3. Sony - malware damages stored information (the whole scale destruction of corporate data)
  4. Sony (again) - Cyber Terrorism from a nation state
  5. The Office of Personnel Management - breach still under review but all signs point to Cyber Espionage to get details of government personnel
  6. Premera - so much for my personal healthcare data!

Need I continue? In the above attacks, and many I didn't discuss, the problem wasn't the network. And for the most part it wasn't the servers. The weak link was, and is - the users - their device, their credentials and the ability to protect information sharing from bad people. Seems pretty straight forward. So how do you attack these things holistically? I'm glad you asked.

To combat these evolving challenges, Microsoft has invested in three main areas with Windows 10: make attacking Windows economically difficult, disrupt attackers ability to hack in a repeatable fashion and eliminate attack vectors entirely (not just make them harder, truly eliminate the vector). How? Think about this list:

  1. (Old) Passwords --- (New) Pervasive Multi Factor Authentication
  2. (Old) Disk Encryption --- (New) Disk Encryption plus Data Loss Prevention
  3. (Old) Detect Bad Software and then React --- (New) Secure by Default
  4. (Old) Rely on Software to Protect --- (New) Rely on both Software and Hardware to Protect

These concepts lead to four main triage points that Microsoft has addressed in Windows 10. I'll dive into those triage points in my next post!