Microsoft has introduced a new series of devices called Secured-core PCs that provide built-in firmware security from the growing use of state-sponsored hacking groups.
In its 2018 activities, for example, the APT28 cyber-espionage team (also known as Sednit, Fancy Bear, Strontium and Sofacy) uses a Unified Extensible Firmware Interface (UEFI) rootkit called LoJax.
This allowed the attackers not only to resist reinstallation of the operating system, but also to replace hard drives on the infected machines.
“These devices are designed specifically for industries like financial services, government, and healthcare, and for workers that handle highly-sensitive IP, customer or personal data, including PII as these are higher-value targets for nation-state attackers,” says Microsoft.
Built-in Security Layers
A new type of protected devices are designed to closely fulfill a range of software and hardware requirements, which’ application the best security practices of insulation and minimal trust to a firmware layer, or the device’s heart, underlying the operating system on Windows.’
“These devices, built in cooperation with our OEM and silicon partners, fulfill certain software requirements that apply best practices in security and minimal confidence to the firmware layer or system core underlying Windows,” Microsoft adds.
Secured-core PCs are a workaround for the growing number of firmware vulnerabilities which hackers can use to bypass the Windows Secure Boot and the lack of software visibility in today’s endpoint security solutions.
Microsoft and its OEM partners have introduced the following set of integrated requirements, to protect Secured-core PC users from it,
Safe loading of Windows: If Hypervisor Enforced Integrity is disabled, Secured-core PC only starts executables signed by established and authorised authorities. In addition, the hypervisor sets and enforces permissions to stop malware from trying to alter the memory and running
Firmware Protection:Device Guard Secure Boot uses the CPU to safely boot the system to avoid further firmware attacks.
Protection of identity: Windows Hello gives you access to VBS to avoid identity attacks without code.
Safe, hardware-isolated operating environment: Using Trust Platform Module 2.0 and a modern DRTM CPU, you can boot your PC safe and eliminate firmware vulnerabilities.
Such protections allow Secured-Core PCs to securely boot, protect themselves from firmware vulnerabilities, prevent attacks by the operating system, prevent unauthorized access, and secure the identity and domain credentials of their users.
A key requirement is Windows Defender System Protection
“Windows Defender now introduces System Guard Secure Boot as the primary Secured-core PC system specification to secure the boot phase from firmware attacks by using the latest AMD, Intel, and Qualcomm hardware capabilities,” says Microsoft.
“Dynamic Root of Trust for Measurement (DRTM) functions built into the most advanced silicone from AMD, Intel and ARM allow the system to leverage firmware to begin hardware and then, soon after, re-initialize the system into a confident state by using the OS loader and processor functionality to transmit the system to a well-known and verifiable code route.”
All Secured-core PCs will have the requisite operating system and hardware support for Windows Defender System Guard capabilities according to Microsoft’s announcement.
Customers are able to find more data on products obtained by PC-tested on this dedicated web page, or on the OEMs participating in this new initiative Dell, Dynabook, HP, Lenovo and Panasonic.