A general view of the Microsoft Corp. booth at the 2009 International Consumer Electronics Show at the Las Vegas Convention Center January 8, 2009 in Las Vegas, Nevada. (Photo by Ethan Miller/Getty Images)

Microsoft reiterated In its Digital Defense Report a list of seven properties the companies says can be found in all standalone, Internet-connected devices that are considered to be highly secured: a hardware root of trust, defense in depth, a small trusted computing base, dynamic compartments, passwordless authentication, error reporting and renewable security.

While perhaps the most significant headlines generated by the report revolved around Russia’s prolific hacking operations – 58% of all cyberattacks that were executed by nation-states and observed by Microsoft were initiated from Russia, and 32% of Russia-sponsored attackers resulted in successful compromises – there were additional important findings of value, including research-driven observations on supply-chain, IoT and operational technology security.

One of the report’s sections reinforced the findings of a previous report – published last year by the Microsoft Azure Sphere Team – which described and detailed the aforementioned seven properties of highly secure devices. In this latest report, Microsoft noted that the aforementioned seven attributes “provide a baseline foundation of security throughout device silicon, software architecture and OS, cloud communications, and cloud services.”

SC reached out to Microsoft and other device security companies for deeper perspective on these seven traits, what the barriers to adoption are, and if any properties are arguably missing from this latest published version of the list.

Defense in depth

 Companies that adopt this practice apply multiple mitigations against threats, ensuring that if any one vector or layer of defense is compromised, the device nevertheless remains secure.

“Defense in depth is key to security everywhere, not limited to IoT and OT,” noted Christoph Hebeisen, director of security research at Lookout. “Combinations of securing software/devices, network and device segmentation, and least privilege are always going to be stronger than any one of these measures in isolation.  They make it more expensive and time consuming for an attacker to move laterally and, with thorough monitoring in place, increase the number of opportunities for detection and the amount of time defenders have to take countermeasures.

Bob Rudis, chief data scientist at Rapid7, agreed DiD is essential to security, “since vulnerabilities exist in every layer and attackers know how to chain exploits together to gain their objective.” However, he added, it does take a certain amount of howknow, including understanding a device’s capabilities and “performing regular threat modeling and testing of any deployed defenses.”

“It always sounds good in theory, but I'm not sure the vast majority of organizations have the resources to get defense in depth right to the degree necessary to prevent all attacks,” he said. Still, “most should be able to have a sufficiently capable defense-in-depth program to deal with the most prevalent attacks.” 

Renewable security 

This refers to automatic software updates and other mechanisms designed to continually maintain the secure state of devices through patching and the removal of compromised assets.

But Rudis at Rapid7 said the concept of renewable security only truly works if “it is absolutely automatic and cannot be overridden by the end user.” After all, “if I can click ‘Delay for 1 day’ forever, or if I have to manually click ‘Update’… then there's going to be a lag in the safety and resilience state of that component, putting the system at risk. Sure, there has to be some allowance, but I'd also argue that more OS and security app vendors should have a means for live-patching for the least amount of interruption as possible.”

The problem, said Hebeisen is some companies may even express a certain level of reluctance to conduct automatic software updates.

“Updates need to be vetted to avoid potentially extremely costly disruptions. Automatic updates – especially in OT – are therefore often viewed as an unacceptable risk,” Hebeisen explained.

Also, automatic updates are not a panacea for all forms of vulnerabilities, Hebeisen continued. For instance, “IoT/OT devices frequently rely on open-source code for basic functionality (such as the network stack) that is less-well maintained and scrutinized, opening opportunities for sophisticated attackers to identify thus far unknown vulnerabilities,” he stated. “Vulnerabilities going unnoticed for longer periods of time limit the effectiveness of automatic updates as an approach to secure devices,” he added.

Dynamic compartments and small trusted computing base

Microsoft defines this property essentially as a form of segmentation, consisting of “hardware-enforced barriers between software components” that “prevent a breach in one from propagating to others.” But because they are dynamic, they can enable the introduction of new boundaries over time as threats evolve.

However, Hebeisen noted that even in segmented networks, attackers can find ways to “still move laterally to other devices and services within the segment.” With that in mind, an even more complete description of this practice would be Zero Trust Network Access, which can be used “to grant granular access to the necessary services and resources on a device exclusively to particular users and services based on their identity. Through this approach, the unauthenticated attack surface can be eliminated completely.”

It’s worth noting that Microsoft also recommended a second form of segmentation: having a small tusted computing base (TCB). This essentially means identifying what specific hardware and software your device security depends on – e.g. a hardware root of trust or encryption software – and limiting their footprint as much as possible in order to limit the attack surface and increase the likelihood that security services will continue to operate even if non-critical device code is compromised.

Error reporting

Devices should report errors for analysis, said Microsoft, in order to enable “verification of the correctness of in-field device execution and identification of new threats.” An example of this, according to Microsoft, would be when a software error, such as a buffer overrun is reported to a cloud-based failure analysis system.

Rudis cited certain barriers to adopting this particular practice, especially the possibility of “error telemetry potentially breaching privacy, especially in the scenario Microsoft suggests,” in which data corresponding to an error event if reported to the cloud or an Internet-facing component.

Hardware root of trust and passwordless authentication

According to Microsoft, hardware root of trust means that “private identity keys are protected by hardware, the integrity of device software is validated by hardware, and the hardware contains physical countermeasures against side-channel attacks.” Meanwhile passwordless authentication typically often involves certificates or tokens that validates a device’s identity using a secret private key.

In September, Microsoft announced that a host of its services were going passwordless, through methods including Windows Hello, the Microsoft Authenticator mobile app and phone- or email-based verification codes.

Of course, even if your organizations’ devices possess all seven of these traits, it doesn’t mean your cyber work is done. “These seven properties are, themselves, one component in a defense in depth approach,” said Rudis. “Organizations should not sit back and relax after investing in all seven of these areas, only to be thwarted by faulty OS-level trust models or weakness in the data broker level itself.”