Date post: | 08-Jun-2015 |
Category: |
Technology |
Upload: | lumension |
View: | 280 times |
Download: | 1 times |
XP End of Support
5 Ways to Mitigate Risk Now
Paul Zimski
VP, Solution Marketing
Interactivity Tips
1. Ask our Presenters a question
2. Download a PDF copy of today’s presentation
3. Social Networking Tools
XP End of Support
• Microsoft Windows XP End of Support was April 08, 2014
• No further vulnerability patches will be made available through standard support
• Impact on Compliance» FFIEC guidance – … identify, assess, and manage these risks to
ensure that safety, soundness, and the ability to deliver products and services are not compromised.
» PCI-DSS v3.0 – Ensure that all system components and software are protected from known vulnerabilities ….
3
4PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Windows XP Usage
5PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Windows XP Infection Rates
6PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Fuzzing Opportunity for Attackers
•New XP vulnerabilities discovered with no patch or configuration work around
•New disclosed vulnerabilities in other Windows products that share common core modules
Ignore
7
Plan:• Ignore EOS and Carry On
Pros:• Reduced Cost / Effort
Cons:• Compromise is Eminent• More Expensive Long-Term
Source: http://joshblackman.com/blog/wp-content/uploads/2011/11/bird.jpg
Upgrade
8
Plan:• Rip and Replace WinXP
Pros:• Latest & Greatest
Cons:• Hardware Requirements• End User Disruption• Legacy Software Support• Time / Cost / Effort
Isolate
9
Plan:• Isolate WinXP boxes
Pros:• Reduced Cost / Effort
Cons:• User Productivity Hit• Physical Attack Vector
Source: http://www.ida.liu.se/~g-robek/images/linguistics-AnechoicChamber_id.jpg
Extend Support
10
Plan:• Get Premier Support from
MS for WinXP boxes
Pros:• Push Off Migration
Cons:• Expensive• No Native OS Security
Improvements
Source: http://erstarnews.com/wp-content/uploads/2013/07/stack-of-money.jpg
11PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
5 Practical Defense in Depth Tactics
1. Reduce known exploitable surface area via patch management
2. Harden configurations
3. Reduce zero day threat risk with application whitelisting
4. Protect system memory with native and 3rd party tools
5. Eliminate physical attack vectors by controlling device ports
•Update antivirus•Use desktop firewalls
1) Reduce Exploitable Surface Area
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
» Ensure known vulnerabilities are patched to minimize “low hanging fruit”
» Apply new 3rd party desktop application patches
13PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
2) Harden Security Configurations
•Remove Local Admin •Disable autorun•Eliminate unnecessary services, applications•Turn off admin shares•Enforce screen lockouts
Malware
3) Reduce Zero Day Threat
14
Authorized
• Operating Systems• Business Software
Unauthorized
• Games• iTunes• Shareware• Unlicensed S/W
Applications
Un
-Tru
sted
Known
• Viruses• Worms• Trojans
Unknown
• Viruses• Worms• Trojans• Keyloggers• Spywares
Application Whitelisting
4) Protect System Memory
• The best way to avoid Buffer Overflow Attacks is for software authors to employ secure coding practices
• For known vulnerabilities, its imperative to apply security patches that fix the underlying code.
• For unknown vulnerabilities, there are native protection capabilities that can be enabled in Windows that make it harder to carry out BO attacks» Data Execution Prevention (DEP) - marks unused buffers as “non executable”
•Investigate 3rd party memory protection capabilities from vendors
15PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
5) Eliminate Physical Attack Vectors
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION16
»Centrally enforce usage policies of all endpoint ports and for all removable devices / media.
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Defense-in-Depth Strategy
17
Successful risk mitigation starts with a solid vulnerability management foundation, augmented by additional layered defenses which include:
» Configuration Control
» Application Whitelisting
» Memory Protection
» Data Encryption
» Port / Device Control
» Antivirus
Patch and Configuration Management
Application ControlMemory Protection
DeviceControl
AV/FW
Hard Drive andMedia Encryption
More Information
Surviving WinXP EOShttps://www.lumension.com/windows-xp
» Whitepaper – learn how to stay secure before, during and after your migration
» Free Application Scanner – discover all the apps being used in your network
Whitepapers» NSS Labs – Improving Windows Client
Performance and Security: Impact Comparison of AC and Traditional AV https://www.lumension.com/resources/free-content/improving-windows-client-performance-and-security.aspx
18
Get a Free Trial ofLumension Application Controlhttps://www.lumension.com/application-control-software/free-trial.aspx
19
• Download a copy of today’s slides
• Provide your feedback! Please complete our survey.
• A recorded version of this seminar will be available at
www.eSeminarsLive.com
• View a calendar of our Upcoming Events
Attendee Services
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828