XP support has ended – How long have you got before your systems are hacked?
All good things must come to an end and, as of 8 April, Microsoft Windows XP has finally been lain to rest in the Microsoft graveyard alongside Windows 2000, NT, 95 and all the other legacy products where development has ceased.
See the official Windows Announcement here
This means no new Windows Updates to download and apply – Hooray! No more patches ever!
Unfortunately, this also means there will be no more fixes or enhancements forthcoming. Aside from potential compatibility issues with applications that are still being developed and improved, this also means that, for any new vulnerabilities discovered in XP, there simply will not be any means of remediation. The result is that XP will become a sitting duck for hackers, inexorably becoming more and more vulnerable to attack over time.
What is the Solution from Microsoft?
Upgrade now, says Microsoft. Go Windows 7 or 8.1 and you gain a continually-improving operating system, fundamentally more secure than XP to begin with but with the full backing of MS development to head-off any new vulnerabilities as and when they are discovered.
Aside from the cost implications in license upgrade fees, the resource requirements needed to migrate can be huge, which is why there is still an estimated 95% of the world‘s ATMs being powered by Windows XP. Considering that there are 420,000 ATMs in the US alone.
The migration to a new OS is indeed a massive endeavor. Likewise, the overwhelming majority of POS systems are XP-powered for the same reason, the risk and expense of migration have resulted in leaving the problem for another day.
What Should You Do If Upgrading to Windows 7/8 isn’t a Viable Option?
And that day has now arrived. So if Microsoft isn't going to provide any security cover for your XP systems, what other options are there to improve protection and provide contingency in the event that systems are breached?
Unless you have already established a hardened build standard for XP, now is the time to do so. By leveraging the ‘natural’ built-in protective defenses for XP, all current known threats and vulnerabilities for the OS can be mitigated. Use of a vulnerability scanning tool, equipped to audit the XP systems against a consensus-based Vulnerability Checklist, such as the CIS Benchmark for XP, will reveal any Security Policy settings that can be utilized to close off as many known vulnerabilities as is possible. The hardened XP system, equipped with AV and firewalled at the perimeter will go a long way to avoiding cybersecurity threats.
Any subsequent patching of 3rd party applications or configuration changes to the XP system may re-introduce vulnerabilities, so it is vital to scan regularly, or ideally, use a continuous vulnerability monitoring solution like NNT Change Tracker or Tripwire ® Enterprise. Time is of the essence is mitigating vulnerabilities when they are introduced so a continuous or real-time scanning system is considerably better than a one-off periodic scan using a Nessus-type system.
However, since new vulnerabilities may be discovered at any time, it is imperative that your security best practice measures include some form or ‘what if’ planning. The breach at Target reminded everybody that even with PCI DSS measures in place if the organization ‘drops its guard’ at any time, threats are waiting to take advantage.
Real-time FIM provides the perfect Host Intrusion Detection system. Any change to a system file (as was the case at Target, the BlackPOS malware created a winxml.dll Trojan) will be detected immediately and an alert raised. Similarly, if new services are added or enabled, or there are subtle registry changes, a good real-time FIM system will record these as violations of the XP Hardened Build configuration and allow the breach to be stopped before lasting damage is done.
In conclusion, time is up for XP and it is imperative that a migration is planned to a secure, supported operating system. In the meantime, use of 3rd party breach prevention and detection technology is more vital than ever.