Minacce informatiche il sistema operativo come

Minacce Informatiche
Il Sistema Operativo come prima
linea di difesa
Attenti a quei due…
Luca Bechelli
Freelance Security Consultant
Dario Brambilla
Senior Premier Field Engineer
Apple User
Microsoft padawan
Past: Linux, Windows, other *nix
Past: real life
The best operating system ever…
http://www.thetoptens.com/
#
OS
1
Windows 7
2
Windows 8
3
Ubuntu
4
Windows 8.1
5
Windows XP Pro
6
Linux Mint
7
Mac OS X
8
Android
9
Windows XP
10
Fedora
Perché ne parliamo…
Defacement
0,4%
DDoS
Malware
1,4%
98,2%
Dati Fastweb – Rapporto Clusiti 2016
Copyright(C) Luca Bechelli - tutti i diritti riservati – Roma Novembre 2015
4
Perché ne parliamo…
Nuovi malware individuati durante il periodo della manifestazione
4000
3463
3500
3000
2500
2000
1685
1408
1500
1000
698
397
500
150
35
0
APR-15
MAG-15
Dati Cisco– Rapporto Clusiti 2016
GIU -15
394
244
L U G - 15
AGO-15
S E T - 15
OTT-15
N O V - 15
D I C - 15
Perché ne parliamo…
Sistemi Operativi rilevati durante il periodo della manifestazione:
Dati Cisco– Rapporto Clusiti 2016
Perché ne parliamo
Livello di allarme rispetto a diverse tipologie di incidente
Dati IDC– Rapporto Clusiti 2016
Perché ne parliamo…
Maggiori rischi rilevati presso le aziende
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Dati Microsoft– Rapporto Clusiti 2016
100% 100%
90%
90%
90%
90%
80%
80%
80%
60%
50%
30%
20%
David McCandless at InformationIsBeautiful.net
Complessità
Leggende metropolitane
E’ più sicuro
Ci pensa l’app store
Cifra i dati
Non ci sono virus
Basta aggiornare
l’antivirus
Leggende metropolitane
Ma…
Windows e Android sono i maggiori bersagli del
malware
Per qualche settimana ancora si può convivere su
OSX / Linux senza antivirus
Su IOS l’antivirus non è neppure possibile installarlo
(!?)
E’ una questione di Modello di Sicurezza
Common mistakes
“Any piece of malware is one password or vulnerability away from
taking full control of the device”(wwdc15 – session 706)
I meccanismi che garantivano la sicurezza “ieri”, sono il "minimo” di
oggi
I cattivi sanno quali porte garantiscono maggiori possibilità di
accesso
Le password saranno sempre deboli
Gli utenti faranno sempre click
Le porte che non devono essere aperte hanno una maniglia
Tutti i file sono uguali, i criteri di protezione anche
Per accedere a dati e funzionalità critiche, non è (sempre) necessario
passare dal kernel (es: man-in-the-browser)
Sappiamo cosa manca, cosa serve, ma…
I dati da proteggere sono frammentati
Gli utenti sono bersagliati da malware e phishing
Il 99% delle applicazioni devono funzionare in un certo modo, ad
esempio:
u
u
u
u
u
u
Dovrebbero comunicare con alcuni siti e non altri
Non dovrebbero scrivere o leggere in determinate location (e se sì, lo si
dovrebbe sapere…)
Dovrebbero essere autentiche
Non dovrebbero modificare delle impostazioni di sistema, in particolare
di sicurezza
Dovrebbero utilizzare meccanismi di sicurezza verificati o verificabili
Non dovrebbero gestire, scrivere, leggere, conoscere autonomamente
password
u
Non dovrebbero usare dati sensibili dell’utente
u
Dovrebbero usare protocolli sicuri
Sappiamo cosa manca, cosa serve, ma…
L’awareness non è sufficiente e…
… gli end-user non saranno mai Amministratori di Sistema
…le notifiche di sicurezza e le richieste di permessi non
sono alla portata di tutti
Sappiamo cosa manca, cosa serve, ma…
Il PC di un end user è un’estensione del web (non il contrario). Ma i
modelli di sicurezza che arrivano dal web offrono talvolta protezioni
più sicure per password, informazioni personali, etc…
Il browser è la “porta di casa”, non un pilastro della casa
Si può fare facilmente anche quello che non serve
… e ci sono cose che alla fine è meglio non consentire di fare (by
default)
Sappiamo cosa manca, cosa serve, ma…
Non tutte le funzionalità sono uguali. Alcune sono “in presence”, la
maggior parte
Mancano ancora i “trusted path”. Ad esempio, non tutti i programmi
devono installare software o modificare configurazioni del sistema
Le funzionalità di sicurezza sono utili se isolate le une dalle altre
E poi…
TPM, Disk Encryption, Code Signature, TLS, MdM, Antivirus, IPS,
Event Management, …. non sono più roba per pochi
La retro-compatibilità non può essere una caratteristica, è una
funzionalità da gestire, solo a chi serve, per quello che serve
Windows Security Features
Key Threats
Key Threats
Key Threats
Key Threats
Key Threats
Key Threats
•
•
•
•
•
•
•
•
•
•
•
•
Melissa (1999), Love Letter
(2000)
Mainly leveraging social
engineering
•
•
•
•
Code Red and Nimda (2001),
Blaster (2003), Slammer (2003)
9/11
Mainly exploiting buffer
overflows
Script kiddies
Time from patch to exploit:
Several days to weeks
•
•
•
•
•
Zotob (2005)
Attacks «moving up the stack»
(Summer of Office 0-day)
Rootkits
Exploitation of Buffer Overflows
Script Kiddies
Rise of Phishing
User running as Admin
Organized Crime
Botnets
Identity Theft
Conficker (2008)
Time from patch to exploit: days
•
•
•
•
•
•
•
2001
2004
2007
2009
Organized Crime, potential state
actors
Sophisticated targeted attacks
Aurora (2009) and Stuxnet
(2010)
Password and digital identity
theft and misuse
Signatures based AV unable to
keep up
Digital signature tampering
Browser plug-in exploits
Data loss on BYOD device
•
•
•
•
•
2012
Nation states active attacking
private institutions
CryptoLocker (2013) and APT’s at
scale
Adding disruption and terror to
playbook
Rampant Passwords theft and
abuse
Pass the Hash becomes part of
the default playbook
AV unable to keep up
2015
Windows XP
Windows XP SP2
Windows Vista
Windows 7
Windows 8
Windows 10
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Logon (Ctrl+Alt+Del)
Access Control
User Profiles
Security Policy
Encrypting File System (File
Based)
Smartcard and PKI Support
Windows Update
•
•
•
•
•
•
Address Space Layout
Randomization (ASLR)
Data Execution Prevention (DEP)
Security Development Lifecycle
(SDL)
Auto Update on by Default
Firewall on by Default
Windows Security Center
WPA Support
•
•
•
•
•
•
Bitlocker
Improved ASLR and DEP
Full SDL
User Account Control
Internet Explorer Smart Screen
Filter
Digital Right Management
Firewall improvements
Signed Device Driver
Requirements
TPM Support
Windows Integrity Levels
Secure “by default” configuration
(Windows features and IE)
•
•
•
•
•
Improved ASLR and DEP
Full SDL
Improved IPSec stack
Managed Service Accounts
Improved User Account Control
Enhanced Auditing
Internet Explorer Smart Screen
Filter
AppLocker
BitLocker to Go
Windows Biometric Service
Windows Action Center
Windows Defender
•
•
•
•
•
•
•
•
•
•
•
•
•
Firmware Based TPM
UEFI (Secure Boot)
Trusted Boot (w/ELAM)
Measured Boot
Significant Improvements to ASLR
and DEP
AppContainer
Internet Explorer 10 (Plugin-less
and Enhanced Protected Modes)
Application Reputation moved
into Core OS
Device Encryption (All SKU)
BitLocker improvements and
MBAM
Virtual Smartcards
Dynamic Access Control
Built-in AV (Windows Defender)
Improved Biometrics
TPM Key Protection and
Attestation
Certificate Reputation
Provable PC Health
Remote Business Data Removable
•
•
•
•
•
•
•
•
•
Virtual Secure Mode
Virtual TPM
Control Flow Guard
Microsoft Passport
Windows Hello
Biometric Framework
Improvements (Iris, Facial)
Broad OEM support for Biometric
enabled devices
Enterprise Data Protection
Device Encryption supported on
broader range of devices
DMA Attack Mitigations
Device Guard
URL Reputation Improvements
App Reputation Improvements
Windows Defender Improvements
Provable PC Health Improvements
Security Strategy
ü
Secure Boot
Virtual Secure Mode
Device Guard
Code Integrity
Applocker
Device Health Attestation
Windows Defender
Windows Firewall
ü
Windows Update for Business
ü
ü
ü
ü
ü
ü
ü
Hardware - UEFI
Ø
Ø
Ø
Ø
Ø
Ø
UEFI (Unified Extensible Firmware Interface) is a standard firmware interface for PCs, designed to replace BIOS
(basic input/output system). This standard was created by over 140 technology companies as part of the UEFI
consortium, including Microsoft. It's designed to improve software interoperability and address limitations of
BIOS. Some advantages of UEFI firmware include:
Better security by helping to protect the pre-startup—or pre-boot—process against bootkit attacks.
Faster startup times and resuming from hibernation.
Support for drives larger than 2.2 terabytes (TB).
Support for modern, 64-bit firmware device drivers that the system can use to address more than 17.2 billion
gigabytes (GB) of memory during startup.
Capabililty to use BIOS with UEFI hardware.
Hardware – UEFI - Revisions
2.0
2.1
2.2
2.3.1
2.4
2.5
2.6
January,
2006
January,
2007
November,
2010
April,
2011
June,
2013
April,
2015
January,
2016
Hardware - TPM
Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use,
in addition to a random number generator.
Does not rely on the operating system and is not exposed to vulnerabilities that might exist in the operating system
or application software
TPM has special physical security:
Ø
Active shield
Ø
Ø
Ø
Ø
Ø
Over/under voltage detection
Low/high frequency sensor
Reset filter
Memory encryption
Tamper-detection and response circuits
Hardware – TPM - Revisions
1.2
62
85
October,
2003
February,
2005
103 ISO/IEC 11889-1:2009
July,
2007
May,
2009
116
March,
2011
2.0
96
99
1.07
1.16
ISO/IEC 11889:2015
March,
2013
October,
2013
March,
2014
October,
2014
December,
2015
TPM 2.0 Compliance for Windows 10 in
the future
All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 discrete or firmware from July
28, 2016. This requirement will be enforced through our Windows Hardware Certification program.
Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
Ø With Windows 10 as with Windows 8, all connected standby systems are required to include TPM 2.0
support.
Ø For Windows 10 and later, if a SoC is chosen that includes an integrated fTPM2.0, the device must ship with
the fTPM FW support or a discrete TPM 1.2 or 2.0.
Ø Starting July 28th, 2016 all devices shipping with Windows 10 desktop must implement TPM 2.0 and ship with
the TPM enabled.
Windows 10 Mobile
Ø All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM enabled.
IoT Core
Ø TPM is optional on IoT Core.
Windows Server 2016 Technical Preview
Ø TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for
the Host Guardian Services scenario in which case TPM 2.0 is required
Secure Boot
Layer of security on top of UEFI
Ø
UEFI verifies the boot loader
Ø
Can be configured to only load verified files
Ø
Required for Windows 8 hardware certification
Virtualization Based Security
features
VirtualTPM
LocalSecurity
AuthService
Apps
Kernel
Kernel(+HVCI)
Windows
VirtualSecureMode(VSM)
Hypervisor
Hardware
Device Guard Workflow
Device Guard
Platform Secure Boot
VBS - HVCI
UEFI Secure Boot
Definitions:
UEFI = Unified Extensible Firmware Interface
VBS = Virtualization based Security
HVCI = Hypervisor based Code Integrity
KMCI = Kernel-mode Code Integrity
UMCI = User-mode Code Integrity
KMCI
UMCI
App Locker
ELAM = Early Launch Anti-Malware
Microsoft Confidential | Shared under NDA
Applocker
•
•
•
•
•
An application control solution which prevents execution of unwanted
and/or unknown applications (and scripts, installers)
Allows IT administrators to specify exactly what users are allowed to run in
the desktop environment
AppLocker provides security protection and operational & compliance
benefits
AppLocker can enforce application standardisation
AppLocker can be one component of an organisation’s overall security
strategy
Device Health Attestation:
WindowsCloudAttestation
&Intune
Attestation
Request
MDMs TO GATE
ACCESS BASED ON
DEVICE INTEGRITY AND
HEALTH
Attestation
Response
3
4
Importantresources
1
AuthenticatedAccessRequest
2
ProveyouareHealthy
5
Hereistheproof
Windows Defender
Windows
Persisted
ANTIMALWARE Antimalware Behavior Dynamic Vulnerability
Monitoring Translation Shielding Defender Offline Store
PLATFORM
MVI
AMSI
Internet
Explorer
IExtension
Validation
(IEV)
Smart UAC
Secure Events
OS
Hardening
Early Launch
Antimalware
(ELAM)
Available only in Windows 10 (or full functionality only in Windows 10)
Shields Up
Device Guard
AppLocker
MVI – Microsoft Virus Initiative
AMSI – Antimalware Scan Interface
UAC – User Account Control
ETW – Event Tracing for Windows
Security Strategy
ü
ü
ü
Credential Guard
Microsoft Password
Windows Hello
Credential Guard Architecture
High Level OS (HLOS)
VSM
LSASS
LSAIso
NTLMsupport
Clear
secrets
Kerberos
Kerberossupport
Boot
Hypervisor
NTLM
Persistent
IUMsecrets
Microsoft Passport
Microsoft
Passport
Anewapproach
1
Userprovesidentity
2
“Trustmyuniquekey”
IDP
ActiveDirectory
Azure AD
Google
Facebook
Microsoft Account
Intranet
resources
4
“Wetrust
tokensfromIDP"
Windows10
3
“Hereisyour
authenticationtoken”
Introducing Windows
PIN
Simplestimplementationoption
Worksonexistingdevices
Userfamiliarity
Biometrics
Enablesmulti-factor
Easeofuse
Impossibletoforget
Accessing credentials
MicrosoftPassport
Your credential fornetworks, sites,
andservices
WindowsHello
Unlocks your device with biometrics andgives
access toyour “Microsoft Passport”
Security Strategy
ü
ü
ü
ü
Bitlocker
Right Management Services
Conditional Access
Enterprise Data Protection
Bitlocker
Ø
Ø
Ø
Ø
Ø
BitLocker Drive Encryption (BDE) is a data protection feature that provides encryption for entire volumes
By default, BitLocker is using Advanced Encryption Standard (cipher block chaining—CBC) with a 128-bit key
(Windows10addsupportXTS-AES encryption algorithm)
BitLocker is meant to prevent offline attacks (lost, stolen laptop)
Not meant to protect from online attacks (can be combined with Encrypting File System (EFS))
256bit
Integrity checking of early boot components
SizecontrolledbyGPO:
128bit/256bit
FVEK
VMK
2048bitRSA
OperatingSystem
Volume
BootVolume
SRK
Microsoft Rights Management
Authentication and
collaboration
Client integration
User
Authentication
Integration
Client integration
BYO Key
Enterprise Data Protection
Ø
Provides user-friendly data separation and containment (corporate device vs. personal device)
Ø
Enables data protection wherever the data is located
Ø
Ensures only trusted apps can access your data
Corporate
network
Virtualization Based Security features
Windows Security Features
Virtualization extensions (Intel VT-X, AMD-v)
Second Level Address Translation
IOMMU (Intel VT-d, AMD-V)
Funzionalità Home
TPM Support
Secure Boot
Device Guard
X
Pro
Enterprise
X
X
X
X
X
Note
Credential Guard
X
Require UEFI 2.3.1; Intel VT-x, AMD-V; SLAT (Intel VT-x EPT, AMD-NPT); x64;
IOMMU (Intel VT-d, AMD-V); TPM 1.2 or 2.0 optional; BIOS Lockdown
Require UEFI 2.3.1; Intel VT-x, AMD-V; SLAT (Intel VT-x EPT, AMD-NPTI); x64;
IOMMU (Intel VT-d, AMD-V); BIOS Lockdown; Requires TPM 2.0 (TH2 will allow
TPM 1.2 for testing and verification but no attestation is possible. Microsoft
strongly recommend 2.0 for deploying Credential Guard.)
Device Health Attestation
Virtual Smartcard with key
attestation
Windows Defender
Windows Firewall
Windows Update
Windows Update for Business
Current Branch for Business
Long Term Servicing Branch
X
X
Require TPM 2.0
Require TPM 1.2 (TPM 2.0 recommended)
Applocker
Windows Hello
Microsoft Password
Bitlocker
Righ Management Service
Conditional Access
Enterprise Data Protection
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Require TPM 1.2 (TPM 2.0 recommended)
KeyAttestation– TPM2.0
TokenBinding– TPM2.0
KeyEncryption(TPMGenerationofKeys)– TPM2.0
Require TPM 1.2; UEFI 2.3.1
Not available with the current build
Link
http://security.windows.com
https://blogs.technet.microsoft.com/mniehaus/2016/03/1
0/documentation-updates-for-windows-10-1511/