Imagine that a senior employee’s laptop is stolen. Are the security precautions you have in place today sufficient to stop the thief from extracting valuable information or credentials from the laptop?
As digital transformation reshapes workplaces, two critical trends emerge: the growing number and types of endpoint devices, like laptops and desktops, and the urgent need to secure them and their data. Despite security becoming a top priority for IT investments, only 27% of organizations have a comprehensive data protection strategy, according to IDG's 2019 Digital Business survey. With endpoint devices increasingly becoming targets for cyber attacks, IT and security teams are now collaborating more than ever to proactively identify vulnerabilities. A State of the CIO survey reveals that 64% of organizations already integrate security tightly into their IT strategies, a figure expected to rise to 82% within three years.
This increased focus on security is influencing all tech purchases and pushing security teams to update their approaches. Traditional methods like firewalls and antivirus software are no longer enough. Modern endpoint security now spans from device firmware to cloud services, focusing on user privileges, timely software updates, and robust encryption mechanisms for data both in transit and at rest. The objective is to provide a comprehensive endpoint security strategy, covering device access and management alongside the device itself.
Modern Windows-based devices, such as Microsoft Surface, contain sophisticated, mature hardware and firmware designed for securing the device and the software that runs on it. An optimal security strategy takes advantage of these features and empowers administrators to control even the lowest level of hardware settings without having to touch the machine.
TPM and UEFI
The two most important device components are the Trusted Platform Module (TPM) and the Unified Extensible Firmware Interface (UEFI).
TPM is a crypto-processor that is resistant both to physical tampering and the efforts of malicious software to change or interfere with it. TPM can generate, store, and control the use of cryptographic keys. It comes with a unique, embedded, and unchangeable RSA key that provides strong device authentication.
UEFI is a standard for a much more sophisticated version of what we used to call BIOS (Basic Input/Output System), the ROM in the PC used for booting and certain hardware access. The UEFI is a mini-operating system itself, whose job is to load the operating system. An implementation of UEFI, conforming to the specification, is delivered by the device manufacturer. But UEFI is itself extensible (the E in UEFI) by the manufacturer and the operating system.
The UEFI in Surface devices, was written by Microsoft, so updates to it are pushed to the customer automatically through Windows Update for Business rather than having to be manually pulled by IT and packaged for delivery to users. This makes updates not only more timely, but also more likely to be applied.
The importance of quick UEFI updates became clear following a spate of speculative execution side-channel attack vulnerabilities, including Meltdown and Spectre, two chip-level flaws discovered in early 2018 that could allow attackers to access data previously considered completely protected.
Secure, Trusted, and Measured Boot
When a PC with UEFI and TPM boots up, it first verifies that the bootloader was digitally signed with a trusted certificate from among those stored in the TPM. This process is called Secure Boot, and it is designed to prohibit unauthorized software from running at boot time.
These measures provide substantial protection against boot-stage malware, mostly called bootkits and rootkits, and tampering with boot software. These dangerous and mostly invisible exploits continue to be found in the wild.
Boot-stage protections don’t stop there. Attackers may also attempt to compromise a device with malicious software designed to launch in the early stages of Windows boot. One example of this is ZeroAccess, a Windows driver-level rootkit that used encrypted NTFS alternate data streams for storage.
To counter this threat, Measured Boot is a process that can run before the loading of an anti-malware product, providing further assurance that the boot process hasn’t been compromised.
A successful infection by this malware would not necessarily be blocked by Secure Boot, but other measures, such as a hardware root of trust enforced by the CPU, would be.
Access to the Endpoint Device
New technologies make it possible for passwords to be required rarely, if at all. Eventually, you should be able to remove passwords from your identity directory entirely – eliminating a significant vulnerability.
Authentication is stronger when it involves more than one authentication factor, and in particular, more than one type of factor.
Multifactor authentication dramatically reduces the risk of many forms of attack, including phishing, a common method for attackers to gain initial entry to a network.
A variety of other established methods provide strong authentication without the limitations of passwords. These include biometrics, smart cards, and authenticator apps.
Biometrics
Biometric authentication products are growing in both availability and sophistication. Windows 10, for example, includes Windows Hello for Business, which authenticates the user with a biometric or a PIN. These credentials are tied to the device and stored in the TPM.
Smart Cards and FIDO Devices
The strongest form of “something you have” authentication is a cryptographic hardware token. These inexpensive devices contain crypto-processors that can sign data digitally with a secure private key, which can then be validated by the system with the corresponding public key. Smart cards are credit-card-sized tokens that the user inserts into a special reader.
Smartphone-based Authentication
Another solution is to use a smartphone as an authentication factor. The best way to do this is to use an authenticator app, such as Microsoft Authenticator. When the login process asks for an authentication code, the user goes to the authenticator app and looks up the code for the service they are logging into.
A hardware token has additional physical and cryptographic safeguards that make it the most secure complement to biometrics, but any second factor added to authentication will add significant protection to the resources behind the login. Authentication factors can prevent many of the common phishing schemes used to access payroll or other systems.
Deployment, Redeployment and Retirement.
Endpoint security continues throughout the device lifecycle. Deploying and managing hardware devices used to require that IT develop and maintain system images for every device type they supported. Then, for each individual system, a technician in-house or at the device maker had to wipe the hard drive and apply the proper operating system image to it before sending it on to the user, ensuring that the approved software and policies were set on it.
Zero-touch Device Deployment
Intelligent cloud services make this time-consuming step unnecessary. Windows AutoPilot, for example, automates all stages of the device lifecycle, both for IT and users. The device can go straight from the manufacturer to the customer and the security process begins when you purchase new equipment. The hardware vendor sends a file containing the hardware IDs of the new equipment. IT uploads these IDs into the Windows AutoPilot deployment service using an Active Directory administrator account and claims ownership of those devices for the organization. After the first such operation, the hardware vendor can perform this step on your behalf.
Next, the IT administrator creates a deployment profile in AutoPilot and assigns it to the devices. You can create a default profile and profiles for groups and individuals. This profile customizes each person’s setup experience, including whether they are allowed a local administrator account. At this point, you can ship the device directly from the hardware vendor to the user.
Self-service Setup
When the user turns the device on and goes online, the setup begins. Windows AutoPilot recognizes that the device belongs to your organization and delivers the setup experience created for it. The user logs in with their organization email address and whatever other authentication factors the company requires, automatically enrolling in Mobile Device Management.
At this point, the device is set up with Microsoft Intune for management, and Intune begins to push policies and software to the device. Many of the typical questions, such as those having to do with configuration and registration, are bypassed because the deployment profile has answered them already. With just a few clicks, the device is ready to use and IT has not had to lay a finger on it.
After a conventional “out of box” experience, the user is signed in as a local administrator. Using Windows AutoPilot, by comparison, allows the user to set up the device and be logged in with a standard account, which automatically removes many avenues of attack on the system.
Streamlined, yet Secure Setup
If the hardware allows it, as with Microsoft Surface devices, IT can enable or disable individual features as part of the setup. This includes the cameras, Micro SD card, Bluetooth, LTE, whether the computer can boot off of a USB device, and many more. In Microsoft Surface devices, this capability is called Surface Enterprise Management Mode (SEMM). This approach minimizes the impact of remote-access trojans and other methods that enable attackers to take control of device components.
Using Microsoft Intune, IT also can wipe a device clean, either because it was lost or stolen or to assign it to a different user. After the wipe, it is reset to the out-of-box experience, at which point proper credentials are once more required for set-up.
Secure from Chip to Cloud
Even the most secure enterprises can be penetrated, but by the same token, even the most talented and resourceful hackers can be defeated. The way to do this is to put impediments in their way at every step.
At the endpoint, you do this by managing the device thoroughly from the beginning of the lifecycle, removing privileges not needed by the user, applying updates to all levels of software promptly, and encrypting data both in transit and at rest.
Modern endpoint systems and the software for managing them make such control practical, without the need to restrict users’ ability to get their work done. Microsoft Surface and management systems like AutoPilot are examples of the state of the art in such technologies.
Nothing connected to the Internet is impregnable, but modern tools and best practices enable businesses of any size to provide a high level of protection, both from sophisticated attackers and user error.
Watch Microsoft Webinar on Endpoint Security
Ready to take the Next Step?
Contact our Surface team today.
