XP End of Support

5 Ways to Mitigate Risk Now 

Paul Zimski

VP, Solution Marketing

Interactivity Tips

1. Ask our Presenters a question

2. Download a PDF copy of today’s presentation

3. Social Networking Tools

XP End of Support

• Microsoft Windows XP End of Support was April 08, 2014

• No further vulnerability patches will be made available through standard support

• Impact on Compliance» FFIEC guidance – … identify, assess, and manage these risks to

ensure that safety, soundness, and the ability to deliver products and services are not compromised.

» PCI-DSS v3.0 – Ensure that all system components and software are protected from known vulnerabilities ….

3

4PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Windows XP Usage

5PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Windows XP Infection Rates

6PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Fuzzing Opportunity for Attackers

•New XP vulnerabilities discovered with no patch or configuration work around

•New disclosed vulnerabilities in other Windows products that share common core modules

Ignore

7

Plan:• Ignore EOS and Carry On

Pros:• Reduced Cost / Effort

Cons:• Compromise is Eminent• More Expensive Long-Term

Source: http://joshblackman.com/blog/wp-content/uploads/2011/11/bird.jpg

Upgrade

8

Plan:• Rip and Replace WinXP

Pros:• Latest & Greatest

Cons:• Hardware Requirements• End User Disruption• Legacy Software Support• Time / Cost / Effort

Isolate

9

Plan:• Isolate WinXP boxes

Pros:• Reduced Cost / Effort

Cons:• User Productivity Hit• Physical Attack Vector

Source: http://www.ida.liu.se/~g-robek/images/linguistics-AnechoicChamber_id.jpg

Extend Support

10

Plan:• Get Premier Support from

MS for WinXP boxes

Pros:• Push Off Migration

Cons:• Expensive• No Native OS Security

Improvements

Source: http://erstarnews.com/wp-content/uploads/2013/07/stack-of-money.jpg

11PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

5 Practical Defense in Depth Tactics

1. Reduce known exploitable surface area via patch management

2. Harden configurations

3. Reduce zero day threat risk with application whitelisting

4. Protect system memory with native and 3rd party tools

5. Eliminate physical attack vectors by controlling device ports

•Update antivirus•Use desktop firewalls

1) Reduce Exploitable Surface Area

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

» Ensure known vulnerabilities are patched to minimize “low hanging fruit”

» Apply new 3rd party desktop application patches

13PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

2) Harden Security Configurations

•Remove Local Admin •Disable autorun•Eliminate unnecessary services, applications•Turn off admin shares•Enforce screen lockouts

Malware

3) Reduce Zero Day Threat

14

Authorized

• Operating Systems• Business Software

Unauthorized

• Games• iTunes• Shareware• Unlicensed S/W

Applications

Un

-Tru

sted

Known

• Viruses• Worms• Trojans

Unknown

• Viruses• Worms• Trojans• Keyloggers• Spywares

Application Whitelisting

4) Protect System Memory

• The best way to avoid Buffer Overflow Attacks is for software authors to employ secure coding practices

• For known vulnerabilities, its imperative to apply security patches that fix the underlying code.

• For unknown vulnerabilities, there are native protection capabilities that can be enabled in Windows that make it harder to carry out BO attacks» Data Execution Prevention (DEP) - marks unused buffers as “non executable”

•Investigate 3rd party memory protection capabilities from vendors

15PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

5) Eliminate Physical Attack Vectors

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION16

»Centrally enforce usage policies of all endpoint ports and for all removable devices / media.

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Defense-in-Depth Strategy

17

Successful risk mitigation starts with a solid vulnerability management foundation, augmented by additional layered defenses which include:

» Configuration Control

» Application Whitelisting

» Memory Protection

» Data Encryption

» Port / Device Control

» Antivirus

Patch and Configuration Management

Application ControlMemory Protection

DeviceControl

AV/FW

Hard Drive andMedia Encryption

More Information

Surviving WinXP EOShttps://www.lumension.com/windows-xp

» Whitepaper – learn how to stay secure before, during and after your migration

» Free Application Scanner – discover all the apps being used in your network

Whitepapers» NSS Labs – Improving Windows Client

Performance and Security: Impact Comparison of AC and Traditional AV https://www.lumension.com/resources/free-content/improving-windows-client-performance-and-security.aspx

18

Get a Free Trial ofLumension Application Controlhttps://www.lumension.com/application-control-software/free-trial.aspx

19

• Download a copy of today’s slides

• Provide your feedback! Please complete our survey.

• A recorded version of this seminar will be available at

www.eSeminarsLive.com

• View a calendar of our Upcoming Events

Attendee Services

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com