webinar fondazione crui - microsoft: la cyber security nelle università
TRANSCRIPT
![Page 1: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/1.jpg)
Fighting Malware & Reducing RiskAndrea PiazzaNational Security Officer – Microsoft Italy
![Page 2: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/2.jpg)
Trend delle minacce
![Page 3: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/3.jpg)
ADVANCEDA PERSISTEN
TP
THREATTAPT
MalwareCommodity Malware
Very PrevalentMade for the publicCheapDesigned for short-term gain
Examples: Conficker, Cryptolocker
Targeted Attacks
Unique, low volumeTailored & custom madeExpensiveDesigned for long-term gain
Examples: Stuxnet, APT28
![Page 4: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/4.jpg)
Ransomware
Evolution and Enterprise Mitigations
4
![Page 5: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/5.jpg)
Ransomware by country or region
![Page 6: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/6.jpg)
Modern Multi-Stage Ransomware Attacks
010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101
Individual Device/User Impact Enterprise Impact
Plan Enter Traverse Encrypt
Command and Control
0101010101001010101010010101010100101010101001010101010
Command and Control
![Page 7: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/7.jpg)
1. Block attacks at the front line• Raise attacker costs to compromise entry points• Internet facing servers• Workstations and Users
2. Defenses to contain attackers• Assume front line defenses will fail• Raise attacker cost to traverse environment and encrypt
data• Rapid response to detect threats and disrupt attack(s)
3. Data backup in case of emergency• Assume all defenses will fail• Restore data from backups that are inaccessible to
attackers
A Pragmatic Three Part Strategy
![Page 8: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/8.jpg)
Internet Server Defenses1. Apply Security Updates (Upgrade OS and App as needed)2. Operational Hygiene (restrict exposure of privileged access from
endpoints)3. Configuration Hygiene (Change default passwords, apply security
configurations)
Workstation and User Defenses4. Application Reputation5. Mail Content Protections6. Apply Security Updates (Basic)7. Exploit Mitigations8. User Education
Immediate Front Line Defenses
![Page 9: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/9.jpg)
Defenses to contain attackers1. Remove Excessive Access to Shared
Files• Remove file share & SharePoint permissions for large groups
to overwrite data (Everyone, Authenticated Users, Domain Users, etc.)
2. Securing Privileged Access (SPA) Roadmap• Immediately implement Stage 1 (separate admin accounts
and workstations, random local admin passwords)• Begin planning Stages 2 and 3
3. Security Operations: Fast Detect and Cleanup• Leverage cloud enabled anti-malware capabilities for real-
time analysis/response (e.g. Windows Defender with Microsoft Active Protection Service (MAPS) enabled and Defender ATP)
• Ensure availability of experienced analysts & responders
EveryoneFull ControlModify
Active
Director
y
Azure Active Directoryhttp://aka.ms/sparoadmap
Detect Respond Recover
![Page 10: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/10.jpg)
Key ResourcesRansomware: Understanding the Risk http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/
How to Deal with Ransomwarehttps://blogs.technet.microsoft.com/office365security/how-to-deal-with-ransomware/
![Page 11: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/11.jpg)
RECON
•Fingerprint•Observation•OSINT
WEAPONIZE
•Lure•zero-day / EK
•Social engineering
DELIVERY
•Waterhole•Spear-phish•MITM
EXPLOIT
• Installation•Dropper•Downloader
INSTALL
• Installation•EOP/Gain privilege
•Persistence
C&C
•Exploration• Info gathering
•Lateral Movements
ACTIONS
•Exfiltration•Destruction•Compromise
APT: Delivery methods
Strontium
Spear-phishing attachments
lures
Office CVEs
Spear-phishing drive-by URLs
IE/Flash/Java CVEs
Social-engineered code-exec
Firefox XPI
Social-engineer drive-by login
OWA, Yahoo, Gmail
![Page 12: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/12.jpg)
Research & Preparation
First HostCompromised
24-48 Hours
Domain AdminCompromised
Data Exfiltration (Attacker Undetected)11-14 months
Attack Discovered
Targeted Attacks Typical Timeline & Observations
Attack SophisticationAttack operators exploit any
weaknessTarget information on any device or
serviceAttacks not detected
Current detection tools miss most attacks
You may be under attack (or compromised)
Target AD & IdentitiesActive Directory controls access to business assetsAttackers commonly target AD and IT AdminsResponse and RecoveryResponse requires advanced expertise and toolsExpensive and challenging to successfully recover
![Page 13: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/13.jpg)
1. Get in with Phishing Attack (or
other)2. Steal Credentials3. Compromise more hosts &
credentials (searching for Domain Admin)4. Get Domain Admin credentials
5. Execute Attacker Mission (steal data, destroy systems, etc.)
24-48 Hours
Privilege Escalation with Credential Theft (Typical)
![Page 14: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/14.jpg)
Attack ScenarioInitial Compromise
An attacker obtains local administrative rights to a computer by enticing a victim into executing a malicious application, exploiting a known or unpatched vulnerability, or through some other means. Countermeasures:• Patching (MS & 3rd
party)• Least Privilege• User Education• Email protection• Threat Detection• App Whitelisting
Domain Controller
![Page 15: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/15.jpg)
Attack Scenario
Domain Controller
Lateral Movement
Attacker exploits shared secrets (e.g. password hashes, etc.) on a computer to access similar hosts at same trust level
Countermeasures:• Randomize Local
Admin password• Host firewall across
client• Deny logon via
network• Credential Guard
![Page 16: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/16.jpg)
Attack Scenario
Domain Controller
Privilege Escalation
Attacker is able to capture privileged account credentials used to administer higher level resources (servers illustrated).
Countermeasures:• Do not expose
privileged credentials• Credential partitioning• Services and
Application Hardening
![Page 17: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/17.jpg)
Attack Scenario
Domain Controller
Complete Compromise
If a domain administrator account is captured along the way, the infrastructure is completely compromised.
Countermeasures:• Detection through
monitoring and alerting is key.
![Page 18: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/18.jpg)
Strategie per la detection e la prevenzione degli attacchi
![Page 19: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/19.jpg)
Key Guidance Resources
Credential Theft Portal www.microsoft.com/PTH
Credential Theft Whitepapers and Resources
Determined Adversaries and Targeted Attacks http://www.microsoft.com/en-us/download/details.aspx?id=347
93 Security Intelligence Report (SIR) http://www.microsoft.com/SIR
![Page 20: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/20.jpg)
Key Preventive Controls1. Admin Workstations & Logon Restrictions• Domain Admins• Server, Application, and Cloud Infrastructure Admins• Workstation Admins
2. Random Local Account Passwords• Workstations• Servers• Specialized Devices (Cash Registers, ATMs, etc.)
3. RDP /RestrictedAdmin Mode• Server and Application Admins• Workstation and Specialized Device Admins
Do these NOW!
![Page 21: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/21.jpg)
Tier 0 Administration SecurityDomain/Enterprise Admins and Equivalent
Good/Minimum
• Separate Admin Desktops• and associated IT Admin process changes
• Separate Admin Accounts• Remove accounts from Tier 0
• Service Accounts• Personnel - Only DC Maintenance, Delegation, and Forest
Maintenance
Better
Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords,
etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive redesign of IT Process and Privilege Delegation
• Administrative Forest (for AD admin roles in current releases)• Credential Guard• Microsoft Passport and Windows Hello
![Page 22: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/22.jpg)
Tier 1 Administration SecurityHuman admins of Servers, Cloud Services, Virtualization, Management Tools, etc. (that aren’t Tier 0)
Good/Minimum
• Separate Admin Accounts• Separate Admin Desktops
• Associated IT Admin process changes• Enforce use of RDP RestrictedAdmin Mode
• Local Administrator Password Solution (LAPS)• Or alternate from PTHv1
Better
Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords, etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive overhaul of IT Process and Privilege Delegation
• Credential Guard• Microsoft Passport and Windows Hello
![Page 23: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/23.jpg)
Tier 2 Administration SecurityHuman admins of User Workstations, User Devices, Printers, etc. (Typically helpdesk and PC support)
Good/Minimum
• Separate Admin Accounts• Separate Admin Desktops
• Associated IT Admin process changes• Enforce use of RDP RestrictedAdmin Mode
• Local Administrator Password Solution (LAPS)• Or alternate from PTHv1
Better
Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords, etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive overhaul of IT Process and Privilege Delegation
• Credential Guard• Microsoft Passport and Windows Hello
![Page 24: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/24.jpg)
Securing Privileged Access (SPA) RoadmapTop Defenses for Targeted Attacks• Comprehensive Strategy • Prioritized 3 Phase Plan• Detailed technical instructions
http://aka.ms/SPAroadmap
Based on real world experience deploying Microsoft cybersecurity services solutions
![Page 25: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/25.jpg)
Protecting Active Directory and Admin privileges
1. Separate Admin account for admin tasks
3. Unique Local Admin Passwords for Workstationshttp://Aka.ms/LAPS
2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW
4. Unique Local Admin Passwords for Servershttp://Aka.ms/LAPS
2-4 weeks
First response to the most frequently used attack techniques
![Page 26: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/26.jpg)
Protecting Active Directory and Admin privileges
6. Time-bound privileges (no permanent admins)http://aka.ms/PAMhttp://aka.ms/AzurePIM
1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
2. Just Enough Admin (JEA) for DC Maintenancehttp://aka.ms/JEA
9872521
5. Attack Detectionhttp://aka.ms/ata
3. Lower attack surface of Domain and DCs http://aka.ms/HardenAD
1-3 months
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
7. Multi-factor for elevation
4. Domain Controller Security UpdatesTarget full deployment within 7 days
![Page 27: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/27.jpg)
Protecting Active Directory and Admin privileges
2. Smartcard or Passport Authentication for all adminshttp://aka.ms/Passport
1. Modernize Roles and Delegation Model
https://www.microsoft.com/security
3. Admin Forest for Active Directory administratorshttp://aka.ms/ESAE
6. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)http://aka.ms/shieldedvms
5. Code Integrity Policy for DCs (Server 2016)
6+ months
Move to proactive security posture
4. Apply Baseline Security Policies to DCs
![Page 28: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/28.jpg)
Il Sistema Operativo come prima linea di difesa
![Page 29: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/29.jpg)
Key Threats• Code Red and Nimda (2001),
Blaster (2003), Slammer (2003)
• 9/11• Mainly exploiting
buffer overflows• Script kiddies• Time from patch to exploit:
Several days to weeks
Key Threats• Zotob (2005)• Attacks «moving up
the stack» (Summer of Office 0-day)
• Rootkits• Exploitation of
Buffer Overflows• Script Kiddies• Rise of Phishing• User running as Admin
Key Threats• Organized Crime• Botnets• Identity Theft• Conficker (2008)• Time from patch to
exploit: days
Key Threats• Organized Crime,
potential state actors• Sophisticated
Targeted Attacks• Operation Aurora (2009)• Stuxnet (2010)• Hacktivism (Anonymous)
2004 2007 2009 2012 2013 2016
Key features:Credential managerOperation-based auditingData encryptionServices turned off by default
Key features:Windows FirewallUser Account Control (UAC)Server Core installation option
Key features:Credentials protectionsBitLocker enhancementsVirtual Smart CardAppLocker enhancedFile classification and encryptionDynamic Access Control (DAC)
Key features:Just in Time and Just Enough AdministrationShielded Virtual Machines with Host Guardian ServerVirtualization Based Code IntegrityCredential Guard
From hardening the operating system to defending against emerging threats across the on-premises datacenter and the cloud.
Windows Server 2003Secure by design, secure by default
Windows Server 2008 Harden the platform
Windows Server 2012Protect information, protect the environment
Windows Server 2016Assume breach, secure the guest
Key Threats• Nation states active attacking
private institutions• CryptoLocker (2013) and
APT’s at scale• Adding disruption and terror
to playbook• Rampant Passwords theft and
abuse• Pass the Hash becomes part
of the default playbook• AV unable to keep up
Key Threats• Organized Crime, potential
state actors• Sophisticated targeted
attacks• Aurora (2009) and Stuxnet
(2010)• Password and digital identity
theft and misuse• Signatures based AV unable
to keep up• Digital signature tampering• Browser plug-in exploits• Data loss on BYOD device
![Page 30: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/30.jpg)
Key Threats• Nation states active attacking
private institutions• CryptoLocker (2013) and APT’s at
scale• Adding disruption and terror to
playbook• Rampant Passwords theft and
abuse• Pass the Hash becomes part of
the default playbook• AV unable to keep up
Key Threats• Melissa (1999), Love Letter
(2000)• Mainly leveraging social
engineering
Key Threats• Code Red and Nimda (2001),
Blaster (2003), Slammer (2003)• 9/11• Mainly exploiting buffer
overflows• Script kiddies• Time from patch to exploit:
Several days to weeks
Key Threats• Zotob (2005)• Attacks «moving up the stack»
(Summer of Office 0-day)• Rootkits• Exploitation of Buffer Overflows• Script Kiddies• Rise of Phishing• User running as Admin
Key Threats• Organized Crime• Botnets• Identity Theft• Conficker (2008)• Time from patch to exploit: days
Key Threats• Organized Crime, potential state
actors• Sophisticated targeted attacks• Aurora (2009) and Stuxnet
(2010)• Password and digital identity
theft and misuse• Signatures based AV unable to
keep up• Digital signature tampering• Browser plug-in exploits• Data loss on BYOD device
Windows 10• Virtual Secure Mode• Virtual TPM• Control Flow Guard• Microsoft Passport• Windows Hello• Biometric Framework
Improvements (Iris, Facial)• Broad OEM support for Biometric
enabled devices• Enterprise Data Protection• Device Encryption supported on
broader range of devices• DMA Attack Mitigations• Device Guard• URL Reputation Improvements• App Reputation Improvements• Windows Defender
Improvements• Provable PC Health
Improvements
Windows XP• Logon (Ctrl+Alt+Del)• Access Control• User Profiles• Security Policy• Encrypting File System (File
Based)• Smartcard and PKI Support• Windows Update
Windows XP SP2• Address Space Layout
Randomization (ASLR)• Data Execution Prevention (DEP)• Security Development Lifecycle
(SDL)• Auto Update on by Default• Firewall on by Default• Windows Security Center• WPA Support
Windows Vista• Bitlocker• Improved ASLR and DEP• Full SDL• User Account Control• Internet Explorer Smart Screen
Filter• Digital Right Management• Firewall improvements• Signed Device Driver
Requirements• TPM Support• Windows Integrity Levels• Secure “by default”
configuration (Windows features and IE)
Windows 7• Improved ASLR and DEP• Full SDL• Improved IPSec stack• Managed Service Accounts• Improved User Account Control • Enhanced Auditing• Internet Explorer Smart Screen
Filter• AppLocker• BitLocker to Go• Windows Biometric Service• Windows Action Center• Windows Defender
Windows 8• Firmware Based TPM• UEFI (Secure Boot)• Trusted Boot (w/ELAM)• Measured Boot • Significant Improvements to
ASLR and DEP• AppContainer• Internet Explorer 10 (Plugin-less
and Enhanced Protected Modes)• Application Reputation moved
into Core OS• Device Encryption (All SKU)• BitLocker improvements and
MBAM• Virtual Smartcards• Dynamic Access Control• Built-in AV (Windows Defender)• Improved Biometrics• TPM Key Protection and
Attestation• Certificate Reputation• Provable PC Health• Remote Business Data
Removable
2015
2001
2004
2007
2009
2012
Windows 8• Firmware Based TPM• UEFI (Secure Boot)• Trusted Boot (w/ELAM)• Measured Boot • Significant Improvements to ASLR and DEP• AppContainer• Internet Explorer 10 (Plugin-less and Enhanced
Protected Modes)• Application Reputation moved into Core OS• Device Encryption (All SKU)• BitLocker improvements and MBAM• Virtual Smartcards• Dynamic Access Control• Built-in AV (Windows Defender)• Improved Biometrics• TPM Key Protection and Attestation• Certificate Reputation• Provable PC Health• Remote Business Data Removable
Windows 10• Virtual Secure Mode• Virtual TPM• Device Guard• Microsoft Passport• Windows Hello• Control Flow Guard• Biometric Framework Improvements (Iris, Facial)• Broad OEM support for Biometric enabled devices• Enterprise Data Protection• Device Encryption supported on broader range of devices• DMA Attack Mitigations• URL Reputation Improvements• App Reputation Improvements• Windows Defender Improvements• Provable PC Health Improvements
![Page 31: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/31.jpg)
Una soluzione di controllo delle applicazioni che impedisce l'esecuzione di applicazioni indesiderate e / o sconosciuteConfigurabile in modalità blocco o auditApproccio whitelist o blacklistAppLocker offre una protezione di sicurezza e vantaggi operativi e di conformitàAppLocker può imporre la standardizzazione applicativaAppLocker può essere una componente della strategia di sicurezza globale di un'organizzazione
Applocker
![Page 32: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/32.jpg)
BitLocker di Windows è una funzionalità disponibile nel sistema operativo Windows Client e Server che consente di crittografare tutti i dati archiviati nel volume del sistema operativo Windows e nei volumi di dati configurati. Mediante TPM (Trusted Platform Module), consente inoltre di garantire l'integrità dei componenti di avvio.Consente l’utilizzo di un PIN di avvioPermette la gestione centralizzata delle configurazioni e il recupero delle chiavi di sblocco (tramite il tool MBAM parte della suite Microsoft Desktop Optimization Pack)
Bitlocker
![Page 33: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/33.jpg)
Key New Technologies Device Guard Credential Guard
Move LSASS secrets into Virtual Secure Mode (VSM) OS Instance Microsoft Passport
New Authentication Protocol based on Hardware Bound Keys Windows Hello
Easy to Use Biometrics to unlock credential access Privileged Access Management
Just in Time (JIT) privileges Advanced Threat Analytics
Detect attacks through anomalous authentication patterns Local Administrator Password Solution
![Page 34: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/34.jpg)
BIOS UEFIUEFI (Unified Extensible Firmware Interface) - interfaccia firmware standard per PC progettata
in sostituzione del BIOS (Basic Input/Output System
- Creato da oltre 140 aziende del settore tecnologico nell'ambito del consorzio UEFI, di cui fa parte Microsoft, per migliorare l'interoperabilità del software e risolvere le limitazioni del BIOS.
Tra i vantaggi del firmware UEFI sono inclusi: - Miglioramento della sicurezza grazie alla
protezione del processo prima dell'avvio da attacchi di tipo bootkit.
- Maggiore velocità dei tempi di avvio e di ripresa dallo stato di ibernazione.
- Supporto di unità maggiori di 2,2 terabyte (TB).- Supporto di driver di dispositivi firmware a 64
bit che il sistema può utilizzare per indirizzare più di 17,2 miliardi di gigabyte (GB) di memoria durante l'avvio.
![Page 35: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/35.jpg)
Secure Boot (UEFI)Livelli di sicurezza basati su UEFIUEFI verifica il boot loader
Può essere configurato per caricare solo i file verificati
![Page 36: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/36.jpg)
Innovazioni di sicurezza in Windows 10• Windows Hello (Accesso facilitato al device tramite biometria)
• Microsoft Passport (Accesso a due fattori di autenticazione)
• Credential Guard* (Protezione da attacchi di tipo Pass the Hash)
• Device Guard** (Lock down del device, esecuzione di app certificate)
• Enterprise Data Protection (Separazione tra dati personali ed aziendali)
* Require Enterprise Edition x64, UEFI 2.3.1 or higher, Virtualization Extensions, VT-d or AMD-Vi IMOOU, TPM (2.0 Recommended), Secure firmware update process
** Require Enterprise Edition, UEFI 2.3.1 or higher, Trusted Boot, Virtualization-based Security
![Page 37: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/37.jpg)
Microsoft Passport – Phone sign-in
![Page 38: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/38.jpg)
Microsoft Passport
IDPActive Directory
Azure ADGoogle
FacebookMicrosoft Account
1Proves Identity
Trust my unique key
User2
Windows10
3IntranetResource
4
4
Here is your authorization
tokenI trust tokens from IDP
So do IInternetResource
![Page 39: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/39.jpg)
Credential Guard
Virtual Secure Mode (VSM)Kernel
Loca
l Sec
urity
Au
th S
ervi
ce
HypervisorHardware
WindowsKernel
AppsVi
rtual
TPM
Hype
r-Viso
r Co
de
Inte
grity
Windows Platform Services
![Page 40: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/40.jpg)
Device GuardVBS - HVCI
UEFI Secure BootPlatform Secure Boot KMCI
App Locker
Device Guard Workflow
Definitions:UEFI = Unified Extensible Firmware Interface ELAM = Early Launch Anti-MalwareVBS = Virtualization based SecurityHVCI = Hypervisor based Code IntegrityKMCI = Kernel-mode Code IntegrityUMCI = User-mode Code Integrity
ROM/Fuses
Bootloaders
Native UEFI
Windows OS Loader
Windows Kernel and
DriverELAM
UMCIUser Mode Code
(Apps)
3rd Party
Drivers
![Page 41: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/41.jpg)
Credential/Device Guard RequirementsRequirement
XWindows 10 Enterprise Edition
Credential Guard Device Guard
UEFI firmware version 2.3.1 or higher and Secure Boot
Virtualization extensions
Firmware lock
x64 architecture
A VT-d or AMD-Vi IOMMU
Secure firmware update process
The firmware is updated for Secure MOR
TPM 1.2 or 2.0
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Physical PC X
![Page 42: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/42.jpg)
Enterprise Data ProtectionProtegge i dati sia sul dispositivo al di fuori di esso….Possono essere configurate politiche di blocco della fuoriuscita dei dati
Integrazione all’interno di Windows
Separa dati personali da quelli aziendali
Previene a applicazioni non autorizzate l’accesso ai dati sensibili
Possibilità di Wipe remote dei dati aziendali
![Page 43: Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università](https://reader036.vdocuments.net/reader036/viewer/2022081514/589a4af01a28ab040e8b504b/html5/thumbnails/43.jpg)
Conclusioni• Il trend delle minacce mostra un continuo aumento
della sofisticazione e della frequenza degli attacchi• Microsoft raccomanda l’adozione della roadmap di
Secure Privilege Access da parte di tutte le organizzazioni
• Il sistema operativo con le sue funzionalità di sicurezza rappresenta una barriera efficace contro gli attacchi moderni, come parte di una strategia di sicurezza multi-livello