October is Cybersecurity Awareness Month. This was established 19 years ago by the Cybersecurity & Infrastructure Security Agency (CISA). The focus for the month is “See Yourself in Cyber”, and this week’s tip discusses the security differences between the most current versions of Microsoft Windows.
Windows 10 vs Windows 11 Security
In Microsoft’s next iteration of Windows computing, security is taking center stage. Windows 11 is rolling out new features which could potentially thwart entire classes of attacks, malware, and firmware exploits. But it could come at a cost in PC performance, as well as the dollar amount of new Windows 11 PCs with the additional hardware required to make full use of all of the new features. Many of the new features take aim at the most common threats to business networks and PCs, to include enhanced phishing protection, application driver validation, and credential protection. Windows 11 is also attempting to squash problems that persist in Windows 10, many of which involve remote code execution attacks, escalation of privilege vulnerabilities and many others. Let’s take a look at some highlights which can help you make an informed decision on what version of Windows suits your needs.
- Zero Trust Support: With Windows 11, Microsoft appears to be embracing an emerging model of enterprise security known as Zero Trust. Most legacy enterprises use the castle and moat model, where we trust everything inside the castle and nothing outside of it. Zero Trust as the name implies, treats all elements of an enterprise as a potential source of attack and aims to contain and mitigate in the event of an attack.
- Trusted Platform Module 2.0: To better protect your cryptographic keys, and similar data, Windows 11 requires the use of what is called a Trusted Platform Module 2.0 chip. This is a chip that is common in most Intel CPUs produced starting in 2018. In fact, Windows 11 will refuse to install on systems where this hardware is missing or not enabled. In many cases, this chip is present but not enabled on those systems produced in the last four years. It can be enabled in the BIOS settings of your machine fairly quickly if you are familiar with the territory.
- Windows 11 Smart App Control: Microsoft has deployed a cloud-based directory of applications that have been vetted and are considered trusted. In some cases of lesser-known, industry specific software, this could pose a problem as it may not be whitelisted in Smart App Control and will not be able to be installed.
Roadblocks to upgrading to Windows 11
Even for those chomping at the bit to upgrade, there can be impediments to installing Windows 11.
- Steep System Requirements: Compared to Windows 10, the system requirements for Windows 11 can be 2 to 4 times as demanding. For example, your machine now needs 4 gigabytes (GB) of RAM vs 1 GB for Windows 10, and 64 GB of disk space vs the 16 GB you need for Windows 10.
|1GB for 32-bit / 2GB for 64-bit
16GB for 32-bit / 20GB for 64-bit
|1GHz or faster processor
|1GHz or faster with 2+ cores on a 64-bit processor
- Pricey Hardware Upgrades: As mentioned above, in order to take full advantage of Windows 11 security features – such as the virtual based Credential Guard – you will need a physical chip called TPM 2.0 module on your PC. If your PC workstation does not already have a built in TPM 2.0 module, you will have to purchase and install one on your motherboard. At the time of writing the cost of these modules ranges from $20 to well over $100 depending on what kind of motherboard you have. As Windows 11 rolls out we can expect those prices to rise, and if doing upgrades across an enterprise that can quickly add up to a lot of money.
- Microsoft Account Requirement: Windows 11 requires all users to have or create a Microsoft account to sign into their machines. Depending on the size of your organization and how your user accounts are set up, this may or may not pose an issue. Microsoft accounts are free to create but it is certainly one more hoop to jump through to take advantage of the new operating system.
Eventually, Microsoft will drop support for Windows 10, but we still have plenty of time before upgrading becomes all but mandatory. This gives you time to get the right people in place to assess your exposure to cyber threats and see what part of your security plan could be impacted by upgrading.
McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC 2 engagement or a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place and provide you with recommendations to detect, respond to, and mitigate and recover from breaches and other cybersecurity events. Please reach out to David Hammarberg leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices at email@example.com. We can answer any questions and help you determine if a SOC 2 or SOC for Cybersecurity report would be useful for your company.
About the Author
Mike joined McKonly & Asbury in 2022 and is currently a Senior Consultant with the firm. He is a member of the firm’s Internal Audit Segment, servicing clients in government and commercial segments.