SecureState Blog

Read SecureState's award winning blog.

Are You Prepared For The End Times...?

Only a few weeks remain and the April 8, 2014 deadline is looming for the more than 12-year old operating system. Microsoft has even posted a countdown timer on their website to illustrate how many days, hours, minutes and seconds remain until life support ends for the Windows XP operating system.

Hopefully, this is not the first you have heard of the planned demise of the ever-popular Windows operating system. Windows XP is widely used in industrial control systems, clinical support systems, point-of-sale systems, ATMs, self-service kiosks, desktop workstations, and more, all around the world. A good prepper will have already been planning their Windows XP exit strategy long in advance of the terminal deadline. After all, Microsoft first announced plans in 2012 to sunset XP in 2014. A good prepper will also have already chosen their next operating system landing site (i.e., a newer version of Windows, Mac OS X, or Linux).


What does End of Life (EOL) mean?

End of life” means that Microsoft will no longer provide free automatic updates or offer online technical assistance for Windows XP after April 8, 2014. With that said, Microsoft will (naturally) provide custom patches to users who purchase their Premier Support agreement, but, as you can imagine, this level of user support will be very expensive.


What is the big deal if organizations continue using Windows XP after April 8th?

Systems still running Windows XP are not expected to burst into flames, cause the collapse of the global economy or expedite the impending zombie apocalypse once Microsoft support has ceased. However, users should be aware of the security consequences of using systems with an unsupported operating system. Once Windows XP goes EOL, patches will no longer be distributed by the authoritative source – Microsoft. Unofficial third party sources may develop patches for newly identified vulnerabilities, but can you really trust those patches? Are they complete, accurate, and most importantly legitimate (and not carrying a malware payload)?

WindowsXPThe risk dramatically increases that your XP system could catch some nasty malware – in spite of the best efforts of your antivirus/antimalware software. Statistics indicate that a third of all malware infections can be traced back to missing security patches. Having fully-patched software and OS are critical to maintaining high availability systems such as ATMs, industrial control systems, medical support systems, point-of-sale systems, etc.

The plain truth is, hackers reverse-engineer the new security patches as soon as they are released. They dig in to discover the underlying XP flaws Microsoft is trying to fix with the latest versions of Windows (e.g., Windows 7 & Windows 8). What does that mean? It means they have a roadmap that enables them to start developing working exploits of the soon to be sun-setted operating system.

For this very reason, many vendors will also likely begin winding down support for both software and hardware that is compatible with Windows XP. Organizations choosing to move forward with Windows XP systems may have to face the reality that they may be left behind as it relates to deploying newer software on those systems.


Are you exposing yourself?

If your organization is required to demonstrate compliance with Payment Card Industry Data Security Standards (PCI-DSS) and your systems are running Windows XP, your organization may be at risk for non-compliance. If Windows XP systems are storing, transmitting or processing credit card data or are within an organization’s PCI zone, you may need to consider some additional network segmentation. PCI-DSS version 2.0 requirement 6.1 states,

”Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches within one moth of release.”Marchewitz_Flash

The newly released PCI-DSS version 3.0 requires the same. With that said, though, the PCI Security Standards Council does allow some latitude to implement compensating controls. For more information, please visit the FAQ section of the PCI Council’s website.

While HIPAA does not specify minimum operating system requirements, the federal regulation does require that any known security vulnerabilities of an operating system should be factored into the organization’s risk assessment process. Since this topic falls squarely in the Security Rule, the Office of Civil Rights (OCR) obviously permits covered entities the flexibility of what may work best for each entities environment.


What should my organization do?

While it may not be the easiest or the cheapest alternative, upgrading to a more modern operating system is the right thing to do.  Not upgrading will create headaches for system administrators, who are tasked with the oversight of your organization’s systems. This is especially true when those same System Administrators are charged with developing and managing compensating controls to defend the decision not to upgrade. Organizations can pursue workarounds such as virtualization and segmentation of the systems running XP, but the inevitability is that upgrading from XP speaks volumes about an organization’s ability to manage its resources from a lack of planning and risk assessment to its security posture. If there is resistance and reluctance at the top of the organization to upgrade systems running Windows XP, consider hiring a management consulting party firm which specializes in Information Security, such as SecureState to partner with you develop the migration plan and business case to present to your executive committee or board of directors.