Relying on Windows 10 security is risky for business
Microsoft’s latest operating system, Windows 10, unveiled earlier this month, places a fresh emphasis on corporate security. But there are already industry rumblings that over-reliance on Microsoft’s new security features could be dangerous.
Windows 10 is designed to run across the types of devices common to most business users: PCs, laptops, tablets and smart phones. In order to safeguard users’ privileged data, the new OS uses a two-factor authentication system utilizing biometric ID in the form of a finger or thumb print. Users can enroll a single device, such as a smart phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC’s, networks, and web services as long as their smart phone is nearby.
It all rests on smartphones
According to Microsoft: "The phone, using Bluetooth or Wi-Fi communication, will behave like a remote smart card and it will offer two factor authentication for both local sign-in and remote access".
Additional security features include data protection software designed to enable users to define which documents are corporate and which are personal. Companies can also designate all new content created on the device as corporate by policy. Additional features can enable organizations to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks.
While the security features incorporated into Windows 10 have been designed to address some of the key cyber security challenges now facing corporates, the jury is still very much out as to how effective these will be.
In a world where many organizations still endorse a bring-your-own-devices (BYOD) policy, an OS that operates seamlessly across all devices could pose a whole gamut of security risks.
It is also unlikely that most companies which have provided staff with devices using a variety of operating systems, such as iPads, Android smart phones and others, would be unlikely to ditch all their legacy equipment simply to switch to Microsoft’s latest version of Windows.
The fallibility of biometrics
Even if they do, there is a danger that they could place an over-reliance on the supposed infallibility of features such as biometric identification. Although biometric identification was first introduced as high level security for situations such as the US president launching a nuclear attack, the digital age is already exposing some inherent security flaws.
At a recent presentation at the annual Chaos Computer Club hacker conference in Hamburg, biometrics expert Jan Krisller, alias 'Starbug', showcased how he had taken pictures of Germany’s Defense Minister, Ursula von der Leyen, at a press briefing in October using a focal length of 200 mm from six feet away. These were of sufficient clarity to enable him to use commercial fingerprint identification software from Verifinger, to replicate the contours of the defense minister’s thumbprint. He then used a technique dating back to 2002 to dupe a biometric scanner. The first reported use of this technique was the so- called "Gummi Bear attack" of 2002, when Japanese cryptographer Tsutomu Matsumoto used gelatin -- as found in Gummi Bears sweets -- and a plastic mold to create a fake finger, which he claimed fooled fingerprint detectors four times out of five.
Should Windows 10 have anything the corporate market penetration Microsoft hopes for, it is increasingly probable that hackers will find all kinds of imaginative ways of cloning key executives’ fingerprints. It is, for example, likely that a phone picked from an executive’s jacket suit pocket or hotel bedside table would be likely to already have his or her fingerprints on its touchscreen, potentially making the device less secure than it might have been with a more traditional form of security such as a personal identification number (PIN).
An easy route for hackers
The fact that Windows 10 operates across a wide range of platforms of devices also poses an additional potential security hazard. If a device is hacked, the cybercriminal, spy or terrorist can potentially access the entire corporate database. Moreover, as the linked devices must communicate with one another, there is also an opportunity for cyber criminals to hack into the communication channels between devices.
There are, however, some additional security features in Windows 10 that are less of a headline-grabber than biometric ID but which may prove more useful in the long run. These include enabling users to differentiate between corporate and personal communications.
Whilst outlining the new security features on Windows 10, Microsoft quoted a report from security firm Stroz Friedberg finding that 87 percent of senior managers admit to regularly uploading work files to a personal email or cloud account -- with 58 percent of users admitting to having accidentally sent sensitive information to the wrong person.
It remains to be seen if Windows 10 represents a turning point for Microsoft in terms of cyber security. Previous versions of Windows have been relatively easy to hack for two simple reasons. The first is that the original OS, on which all the other are built, was never designed to be networked across more than a handful of computers and has a large digital 'footprint' made up of legacy code which frequently offers a number of hitherto unidentified 'backdoor' entry points for determined hackers.
But, for years, Windows’ greatest vulnerability was a direct result of its commercial success. At a time when by far the majority of PCs and laptops ran Windows and Apple was no more than upstart in computing, there was little point in trying to hack into any operating system other than Windows.
Today, however cyber criminals are increasingly turning their attentions to a wider range of operating systems such as the Apple iOS, Google’s Android and the main flavors of the open source OS Linux.
But whatever operating systems companies opt for, it is essential that they take independent advice to establish a firm set of security protocols and safeguards of their own rather than relying on those built into generic third-party software.
Stuart Poole-Robb is CEO and founder of the KCS Group
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.