While you likely have very good reasons for remaining on Windows XP after end of support -- the bottom line is your security risk is now significant. In the absence of security patches, attackers will certainly turn their attention to this new opportunity.
1. XP End of Support
5 Ways to Mitigate
Risk Now
Paul Zimski
VP, Solution Marketing
2. Interactivity Tips
1. Ask our Presenters a question
2. Download a PDF copy of today’s presentation
3. Social Networking Tools
3. XP End of Support
• Microsoft Windows XP End of Support was April 08, 2014
• No further vulnerability patches will be made available
through standard support
• Impact on Compliance
» FFIEC guidance – … identify, assess, and manage these risks to
ensure that safety, soundness, and the ability to deliver products and
services are not compromised.
» PCI-DSS v3.0 – Ensure that all system components and software are
protected from known vulnerabilities ….
3
5. Windows XP Infection Rates
5
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
6. Fuzzing Opportunity for Attackers
•New XP vulnerabilities discovered with no patch or configuration work
around
•New disclosed vulnerabilities in other Windows products that share
common core modules
6
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
7. Ignore
7
Plan:
• Ignore EOS and Carry On
Pros:
• Reduced Cost / Effort
Cons:
• Compromise is Eminent
• More Expensive Long-Term
Source: http://joshblackman.com/blog/wp-content/uploads/2011/11/bird.jpg
8. Upgrade
8
Plan:
• Rip and Replace WinXP
Pros:
• Latest & Greatest
Cons:
• Hardware Requirements
• End User Disruption
• Legacy Software Support
• Time / Cost / Effort
10. Extend Support
10
Plan:
• Get Premier Support from
MS for WinXP boxes
Pros:
• Push Off Migration
Cons:
• Expensive
• No Native OS Security
Improvements
Source: http://erstarnews.com/wp-content/uploads/2013/07/stack-of-money.jpg
11. 5 Practical Defense in Depth Tactics
1. Reduce known exploitable surface area via patch
management
2. Harden configurations
3. Reduce zero day threat risk with application whitelisting
4. Protect system memory with native and 3rd party tools
5. Eliminate physical attack vectors by controlling device
ports
•Update antivirus
•Use desktop firewalls
11
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
12. 1) Reduce Exploitable Surface Area
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
» Ensure known vulnerabilities are patched to
minimize “low hanging fruit”
» Apply new 3rd party desktop application patches
13. 2) Harden Security Configurations
•Remove Local Admin
•Disable autorun
•Eliminate unnecessary services, applications
•Turn off admin shares
•Enforce screen lockouts
13
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
14. Malware
3) Reduce Zero Day Threat
14
Authorized
• Operating Systems
• Business Software
Unauthorized
• Games
• iTunes
• Shareware
• Unlicensed S/W
Applications
Un-Trusted
Known
• Viruses
• Worms
• Trojans
Unknown
• Viruses
• Worms
• Trojans
• Keyloggers
• Spywares
Application
Whitelisting
15. 4) Protect System Memory
• The best way to avoid Buffer Overflow Attacks
is for software authors to employ secure coding
practices
• For known vulnerabilities, its imperative to
apply security patches that fix the underlying code.
• For unknown vulnerabilities, there are native protection capabilities that
can be enabled in Windows that make it harder to carry out BO attacks
» Data Execution Prevention (DEP) - marks unused buffers as “non executable”
• Investigate 3rd party memory protection capabilities from vendors
15
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
16. 5) Eliminate Physical Attack Vectors
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
16
»Centrally enforce usage policies of all
endpoint ports and for all removable devices /
media.
17. Defense-in-Depth Strategy
17
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Successful risk mitigation starts with a solid
vulnerability management foundation, augmented
by additional layered defenses which include:
» Configuration Control
» Application Whitelisting
» Memory Protection
» Data Encryption
» Port / Device Control
» Antivirus
Patch and Configuration Management
Application Control
Memory Protection
Device
Control
AV/FW
Hard Drive and
Media Encryption
18. More Information
Surviving WinXP EOS
https://www.lumension.com/windows-xp
» Whitepaper – learn how to stay secure before,
during and after your migration
» Free Application Scanner – discover all the
apps being used in your network
Whitepapers
» NSS Labs – Improving Windows Client
Performance and Security: Impact Comparison
of AC and Traditional AV
https://www.lumension.com/resources/free-
content/improving-windows-client-
performance-and-security.aspx
18
Get a Free Trial of
Lumension Application Control
https://www.lumension.com/
application-control-software/free-trial.aspx
19. 19
• Download a copy of today’s slides
• Provide your feedback! Please complete our survey.
• A recorded version of this seminar will be available at
www.eSeminarsLive.com
• View a calendar of our Upcoming Events
Attendee Services