A couple years ago, Bruce Schneier said that against an APT attacker, “the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.” Those words have proven true over and over again. APT attackers don’t move on to the next target as soon as they see your security is a little above average. In this age, when you have to do everything right to protect your network, it pays to look at what other people do wrong and learn from their mistakes. We are going to do just that in this webinar. Based on public and unpublished APT incidents, Rand Franklin Smith of Ultimate Windows Security has gathered a list of 9 different things that show up repeatedly: 1. Allowing open attack surfaces without securing configurations 2. Permitting unlocked ports and unfettered device usage 3. Failing to use centralized vulnerability remediation 4. Allowing untrusted software to execute 5. Failing to follow existing security policies/procedures and use at-hand technology consistently 6. Permitting open policies for privileged user authority 7. Not engaging in consistent end-user security awareness 8. Failing to leverage logging and to set up traps 9. Permitting Malware beaconing and exfiltration These are gleaned from real-world scenarios. Look at how the attacks succeeded due in large part to the mistakes made. Also see, from a technical standpoint, how each one of these allowed one or more attacks to actually occur. Many of these points are in the area of endpoint security. Lumension is sponsoring this event and we will show you briefly how Lumension Endpoint Management and Security Suite can help you efficiently control these risks. Learning from other people’s mistakes is a lot less painful than learning from your own, so don’t miss this real-training-for-free session!

1. Top 9 Mistakes of APT Victims:
What They Are and What
You Can Do To Prevent Them
© 2013 Monterey Technology Group Inc.

2. Brought to you by
www.lumension.com
Speaker
 Chris Merritt – Director, Solution Marketing

3. Preview of Key Points
1. Allowing open attack surfaces without securing
configurations
2. Permitting unlocked ports and unfettered device
usage
3. Failing to use centralized vulnerability remediation
4. Allowing untrusted software to execute
5. Failing to follow existing security policies/procedures
and use at-hand technology consistently
6. Permitting open policies for privileged user authority
7. Not engaging in consistent end-user security
awareness
8. Failing to leverage logging and to set up traps
9. Permitting Malware beaconing and exfiltration
© 2013 Monterey Technology Group Inc.

4. Risk Real and Percieved
Do you think you could be a target
How confident are you that you could detect
an APT attack?
© 2013 Monterey Technology Group Inc.

5. 1. Allowing open attack surfaces
without securing configurations
Examples
Automatic proxy detection
Leaving auto-update configured to contact
MS
Unnecessary or out-of-date software
© 2013 Monterey Technology Group Inc.

6. 2. Permitting unlocked ports
and unfettered device usage
Feds: Infected USB drive idled power plant
3 weeks
http://www.usatoday.com/story/tech/2013/01/
16/usb-drive-infected-with-crimeware-shut-
power-plant/1840783/
Two-Thirds of Lost USB Drives Carry
Malware
http://it.slashdot.org/story/11/12/07/2037223/t
wo-thirds-of-lost-usb-drives-carry-malware
Malware USB drives handed out a
tradeshows
© 2013 Monterey Technology Group Inc.

7. 3. Failing to use centralized
vulnerability remediation
 There are too many tweaks and security fixes that can’t be
made via Group Policy
 De-registering unsafe DLLs
 Setting the kill bit
 Setting up bitlocker
 Configuring powershell security
 Changing admin password
 You can’t
 Visit each PC in person and that’s a waste of time anyway
 Depend on end-users
 You need a way to
 run commands, remediation scripts and other fixes on all your
PCs automatically
 Track the success of remediation steps
© 2013 Monterey Technology Group Inc.

8. 4. Allowing untrusted
software to execute
This is the single most effective way to
stop APTs
© 2013 Monterey Technology Group Inc.

9. 5. Failing to follow existing security
policies/procedures and use
at-hand technology consistently
Adobe allows critical code-signing server
to run noncompliant with corporate
standards
Other
examples
© 2013 Monterey Technology Group Inc.

10. 6. Permitting open policies for
privileged user authority
RSA SecurID incident involved lateral
movement resulting in privilege escalation
This typically means that a privileged user was
logged on interactively on a system where they
also read email, browse the web or open
document files
Best practices and privileged user
technologies exist to keep admin level
credentials sacrosanct
© 2013 Monterey Technology Group Inc.

11. 7. Not engaging in consistent
end-user security awareness
RSA SecurID incident occurred when 3 users
were sent an infected spreadsheet, it went into
their Junk email, and a single user opened it
One corporation sent a spear-phishing email to
its users
It took 3 campaigns before they got the open rate
below 20%
Lesson
Repeated and constant
Trackable
© 2013 Monterey Technology Group Inc.

12. 8. Failing to leverage logging
and to set up traps
Most organizations do not
Monitor process start events to discover new
EXEs
Deploy decoy folders with bait files on
production systems and audit access
© 2013 Monterey Technology Group Inc.

13. 9. Permitting Malware
beaconing and exfiltration
 A EXE file must be installed and permitted to
run for an APT to be successful
 When activated, most APT-ware must beacon
back to command and control servers
 At some point data is exfiltrated
 It is challenging, but there are techniques for
recognizing outbound traffic that could be
malware
Look for strange packet patterns inconsistent
with normal web browsing
• Like more data going up than down
Look for mysterious domain names like
ibiz.3387.org
© 2013 Monterey Technology Group Inc.

14. Bottom Line
Most of these are little things
But with APTs it only takes one
One user
One PC
One setting or vulnerability that lets the bad
guy get established
It’s all about
Defense-in-depth
Doing everything right
Not allowing untrusted code to execute
© 2013 Monterey Technology Group Inc.

15. Brought to you by
www.lumension.com
Speaker
 Chris Merritt – Director, Solution Marketing

16. Defense-in-Depth Strategy
Successful risk mitigation
AV
starts with a solid vulnerability
Control the Bad management foundation,
augmented by additional
Device Control
Control the Flow layered defenses which go
beyond the traditional blacklist
HD and Media Encryption
approach.
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
16

17. Mapping
Top Mistakes How Lumension Helps
1. Allowing open attack surfaces without securing Security Configuration Management /
configurations Patch and Remediation
2. Permitting unlocked ports and unfettered device Device Control
usage
3. Failing to use centralized vulnerability Patch and Remediation
remediation
4. Allowing untrusted software to execute Application Control / AntiVirus
5. Failing to follow existing security policies /
procedures and to use at-hand technology
consistently
6. Permitting open policies for privileged user Application Control
authority
7. Not engaging in consistent end-user security
awareness
8. Failing to leverage logging and to set up traps
9. Permitting malware beaconing and exfiltration Application Control
© 2013 Monterey Technology Group Inc.

18. More Information
• Free Security Scanner Tools • Get a Quote (and more)
» Vulnerability Scanner – discover all OS and http://www.lumension.com/endpoint-
application vulnerabilities on your network management-security-suite/buy-now.aspx#2
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/Resources/
Security-Tools.aspx
• Lumension® Endpoint Management
and Security Suite
» Online Demo Video:
http://www.lumension.com/Resources/Demo-
Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):
http://www.lumension.com/endpoint-
management-security-suite/free-trial.aspx
18