Secrets of modern PC 2.0: how to provide impregnable PC protection

Most home PC users don’t really care about protecting their data, relying on, as a rule, or to a free antivirus, or on the built-in Windows tools and their accuracy. More advanced ones still install a commercial antivirus complex, however, even among them there are few specialists, capable of strengthening security with additional measures, such, like encryption or using a special browser. Although, having read […]

Most home PC users don’t really care about protecting their data, relying on, as a rule, or to a free antivirus, or on the built-in Windows tools and their accuracy. More advanced ones still install a commercial antivirus complex, however, even among them there are few specialists, capable of strengthening security with additional measures, such, like encryption or using a special browser. Although, after reading horror stories on the Internet, even housewives began to stick a sticker on the web camera. Of course - even the founder of Facebook does this, at least, this is clearly visible in one of the photos of his workplace.

But, even if home users somehow care about the security of their PC, in the business sphere, the probability of becoming a victim of cybercriminals is much higher. Here the financial losses from hacking and data theft are much greater, and the attacks are carried out with special sophistication. That is why it is necessary to use a multi-factor approach to protect the company’s computer fleet, based on anticipating possible threats. At the same time, not all tasks can be solved by software, the hardware of the computer itself is of particular importance.

Increased risks in the cybersphere forced engineers to create a new generation of PC 2.0 devices, in which a whole range of protective measures for PCs and data is applied. It is based on a matrix of key security environments: device, user identification and data. At the same time, three possible levels of influence are involved: before loading the operating system, during operation and above the operating system at the fleet management level.

Most of the security tools used are applicable to enterprise-level computers. Moreover, these are not necessarily bulky devices. A striking example of an elegant embodiment of all modern ideas is, for example, HP Elitebook model, it has a thin and light body.

HP EliteBook 1040 G4

Of course, 100 percent protection is difficult to achieve, but it is quite realistic to ensure the maximum level. The latest HP security technologies are organized at the hardware level and complement the usual software and system tools. At the same time, user involvement in the event of an incident is minimized.

However, it should be emphasized, that modern technologies for maximum protection can be implemented only on the basis of Intel processors of the 7th generation and above and Windows 10. Old operating systems, as well as hardware and peripherals, structurally and programmatically do not support the latest developments.

Protection at 3 levels in 3 facets according to HP version

  Device User identification Data
Control over the OS HP DaaS HP MIK MS SSCM HP MIK MS SSCM
HP DaaS
During OS operation HP Sure Start Gen3 HP Client Security Suite Gen3 Intel autentification HP Sure Click
HP Sure View
Before loading the OS HP Sure Start Gen3 authentication before windows boot Disks with encryption function
Locks and anti-theft fasteners TPM 2.0 HP Secure Erase
Solenoid lock

The security strategy is implemented in three directions: device protection, access protection and data protection.

Protection before the start of the operating system

The use of hardware protection in personal computers began quite a long time ago. An important step in this direction was the development and implementation of the TPM trusted platform module according to the ISO 11889 standard. The first computers, equipped with such technology, appeared at HP, as one of the developers of the standard, in 2004.

The next milestone was an increase in the security of the basic I/O system, which, after switching to the UEFI standard, received a wider set of functions, but along with it, a number of vulnerabilities.

Detection of infection at the BIOS level has become critically important for PC security, since such attacks are not recognized by standard antivirus tools. Work on protection in this direction led to the appearance of the ISO 19678 standard in 2011. This is how HP SureStart technology was born, physically representing a chip with two independent BIOS memory partitions and a BIOS image validation unit. The comparison was performed when the PC was turned on or when it came out of sleep mode. In case of bootkit infection, the BIOS automatically returned to the reference state.

The current generation of HP SureStart G3 has gone beyond the BIOS chip and checks unauthorized changes/behavior in the SMM memory area in real time. This allowed, detect intrusions, providing enhanced protection against unknown or unmanaged vulnerabilities, which previously simply could not be tracked by antivirus or other means from the operating system. When infected, the user and administrator (Microsoft SCCM HP MIK) receives a message, and according to the configured policy, automatically or manually, there is a reboot and restoration of parameters.

The third generation technology is implemented at the hardware and software level and works in the HP business line of computers with Intel processors of the 7th generation and the Windows 10 operating system. BIOS protection is also implemented on computers with AMD processors. All three generations of the company’s computers have different hardware architectures, where the newest security blocks are used. That is why it is impossible to implement the third-generation protection technology by simply updating the BIOS.

OS-level protection

The fight between cybercriminals, developing all new, more complex types of threats, and those, who opposes them has become more acute than ever: attacks are becoming more widespread, and their consequences are increasingly significant. Microsoft is constantly working to improve the multi-level security system of Windows 10, updating it to combat the most modern types of attacks.

The latest Windows 10 Fall Creators Update introduced a new version of the Windows Defender Advanced Threat Protection tool, which is able to comprehensively ensure the security of the digital infrastructure. According to Microsoft, 96% of attacks are unique and created purposefully to defeat a specific victim. The key difference between ATP and antiviruses using only signatures of existing viruses is cloud analytics and artificial intelligence algorithms for examining files for malware. This approach makes it possible to detect and neutralize new types of attacks: at the first precedent, information about the threat enters the database and becomes available to all systems. In addition to this, the Defender Exploit Guard tool is built in, which allows it to prevent the triggering of some known exploits, from which applications are not protected.

Protection in Windows 10 also involves preventing unauthorized logins and compromising personal and corporate data. So, according to the Microsoft Advanced Threat Analytics service, more than 60% of attacks are based on compromising user credentials. The Windows Hello system allows you to log in to the system using biometric technologies: face recognition and fingerprint. This principle allows you to abandon passwords to ensure greater reliability during authentication, protect against phishing attacks with password theft, and also eliminate the need to memorize complex combinations of letters and numbers. Authorization with Windows Hello is safer and much faster: everything you need, it’s easy to look into the camera or touch the fingerprint scanner. Logging in takes only 2 seconds. For enhanced security, Windows Hello also assumes two-factor authentication.

Virtual browser for secure Internet

According to a survey by HP, more than 80% of IT directors consider popular browsers to be the main vulnerability, through which viruses enter the system. At the same time, 68% of respondents noted, that it has become increasingly difficult to recognize malicious sites lately, content and emails. Consequently, learning to work safely on the Internet and applying the concept of black and white lists are not effective enough compared to the invested labor costs.

To get the virus into the system, just click on the link in the phishing email

The rapid growth in the number of threats forces HP specialists to look for new options. A unique solution was the use of HP Sure Click technology, created jointly with Bromium. With its help, the browser is isolated from the operating system. Each tab opens in a separate micro virtual machine, isolated at the CPU level.

Thus, the cache and scripts stored by the browser on the virtual disk do not get into the system, this means that attackers do not get access to the OS, applications and data. Even the adjacent browser tab is unavailable. This technology, as an example of an industry standard, has already been implemented in an additional set of Windows 10 Corporate functions (Windows defender Application Guard). In it, the Edge browser can be run in an isolated Hyper-V machine.

In HP devices, Sure Click technology is available immediately and can be used in small and medium-sized businesses, and also for home users without a Microsoft corporate subscription. However, to run it, you need to, so that the PC processor has support for Intel VT technology. For example, This browser is available on HP EliteBook 800 devices, 1000 series G4 and G5, where Windows 10 Professional is installed.

It is worth noting, this browser is able to protect the system from Trojan infection. However, only competent user actions and search engine warnings will help prevent data leakage on phishing sites.

Self-encrypted disks

Information protection would not be complete, if all user data were not encrypted. As a rule, the encoding process involves storing keys in an unprotected form on a physical medium or in RAM, which means, the key may be stolen.

PC 2.0 concept computers are devoid of this vulnerability, since they can use self-encrypted disks. The main feature of such devices is the isolation of encryption keys from the operating system and applications. In this case, the encryption key does not get into the RAM and processor, which eliminates data leakage during attacks via OS and RAM. If you see the words SED or OPAL2 in the description of the disk, this is exactly such a disk. The functionality requires configuration.

Which computer can be considered the most secure

According to HP experts, any 3-4 year old corporate-level car, in terms of security approaches, outdated at the hardware level. An old OS version without the Windows 10 approach to updates also creates additional threats.

The HP EliteBook 1040 G4 can be called the benchmark for the implementation of security by a combination of factors at the hardware level. Protection technologies, configurable in this model: TPM 2.0, HP Sure Start 3.0, Intel vPRO, OPAL2 disk, built-in HP Sure View privacy filter, built-in magnetic shutter of the camera, support for two types of biometric authentication, Windows 10 Professional.

Enabling such a device in a managed environment using HP DaaS subscription and/or HP MIK MSSC allows you to create the most secure solution to date.

An individual offer for a new generation HP PC can be obtained by following the link.

Read also about new generation PC 2.0 computers:

  • Mobile internet in laptops: how to always stay in touch
  • Secrets of PC 2.0: where online Communications hide