Is Software-Based Cybersecurity Enough These Days?

 By Hector Cisneros

Image courtesy Pixabay

Not according to Microsoft, it isn’t.  On June 24, Microsoft announced that a Windows 11 requirement is that all new devices running the operating system be equipped with a Trusted Platform Module chip.  The TPM chip is either part of the motherboard or added to the CPU separately.  It functions as a kind of impenetrable wall designed to protect sensitive data like encryption keys, user credentials and other key identifiers at the hardware level.  After warning users for months of the high incidence of firmware attacks that hackers have been using to gain access to business users devices, it was apparent to Microsoft that software solutions alone were no longer an effective protection.

Currently, there are more than 1.3 billion computers running Windows 10 worldwide.  This software has been at the heart of recent hacks that made headlines, such as those that specifically targeted Microsoft Server software and the Solar Winds hack that targeted both private corporations and US government agencies.  In the Solar Winds attack, Russian-based hackers managed to access and impersonate an organization’s existing users, including those that were deemed privileged.  In the MS Exchange hack, 30,000 private companies and government email accounts were hacked.  This attack not only compromised the security of thousands of city and state governments, police and fire departments, financial institutions and other organizations, but it allowed the hackers to      install backdoor malware designed to allow them to gain access to these systems at a later date.  The MS Exchange attack was ultimately linked to the Chinese hacking group Hafnium.

What’s really galling is not just the fact that foreign governments have been exploiting firmware to gain access to Windows 10 machines, the real shock is the realization that many of those same machines already have TPM chips installed.  That’s right, Microsoft has long required OEMs to include the Trusted Platform Module chip on systems using Windows 10.  What they didn’t do was force these same manufacturers to turn the devices on.  Below is what you need to do to find out if your device comes equipped with a TPM as well as how to make sure it’s operating.

Image courtesy Pixabay

  1.      Press the Windows key and +r to bring up the Run Dialog Window. – Type tpm.msc into the dialog box and hit Enter.  If this brings up the message “Compatible TPM cannot be found” your machine doesn’t have the chip.  If you see “TPM is ready for use” under Status, you at least know that the chip is on your device.  You can also open the Device Manager and look for the TPM listing under Security Devices.

      2.      How do you know if your TPM is activated? – Type Windows Security into the dialog window.  This will pop up a page that reads, “Security at a glance.”  On the right side of the window you’ll find a list of options.  Select the option called “Device Security”.  The first listing you should see is “Security Processor.  This will not only indicate whether your device has a TPM, it will let you know if it is active.  Clicking on the subheading Security Processor Details will provide even more information, including the manufacturer and version.  Microsoft recommends version 2.0 be running for the TPM to provide adequate protection. You can also troubleshoot your device’s TPM from this window.

      3.    If you generate a message prompting you to update the TPM firmware, you need to perform the following steps. 

a.       Download and install the latest Windows 10 update.

b.      Install any applicable firmware updates.

c.       Back up your data.

d.      Clear the TPM.  You’ll find the link to do that under the Security Processor listing.   Click on Security Processor, followed by Troubleshooting.  There you’ll find the command Clear TPM.  Once this step is completed, you’ll need to restart your machhine.

What can you do to augment your system if your device doesn’t have a TPM chip? – You can always buy the chip and have it added to your system by your local computer repair technician.  You can also choose to install other hardware-based security devices to bolster your machine.  Everything from USB security keys that supply 2-step authentication to plug and play external firewall devices like Firewalla add another level or two of hardware-based security to any system.  When you consider the average ransomware attack costs more than $170,000 to resolve in 2021, spending a few hundred dollars to make it more difficult for hackers to gain access to your devices is well worth the price. 

When you consider the high cost of a breach, if you truly want to be able to sleep soundly at night, you need to do more than rely on software to protect your devices.  Everything from computer hardware and software to servers and Wi-Fi networks have weaknesses than can and are exploited by hackers.  There are even dark web bulletin boards that allow hackers to trade and sell these exploits.  Other exploitable vulnerabilities include poorly secured IoT devices and the questionable browsing habits of employees and family members.  To truly be vigilant, you need a system that not only helps thwart hackers but provides monitoring and reporting of all those using or attempting to access your network.  The time to up the ante on cybersecurity is now.

 Hector Cisneros is COO and Director of Social Media Marketing at Working the Web to Win, an award-winning Internet marketing company based in Jacksonville, Florida.