A long goodbye for XP
25 03, 14 Filed in: Blog Posts
Windows XP will no longer be supported as of April 8th. This should not come as a surprise to anyone as Microsoft’s lifecycle has been known for years but what may come as a surprise is how many organizations are likely to be affected by this: Recent reports indicate that over 30% of Windows installations are still running XP. With such a high percentage it is almost assured that any given organizations has an XP installation somewhere on their network, likely on long-forgotten servers or workstations at rarely upgraded remote sites. Even if servers and workstations have been expunged XP may still be lurking in one final holdout: embedded systems. These systems are almost like appliances in their nature, you just plug them in and they work, but behind the scenes they are still computers and require some sort of operating system, often Windows XP. As one example, over 90% of ATMs run XP; other embedded systems running XP could include digital surveillance video recording systems, electronic door lock access control systems, graphic displays (like the departure screens in airports), digital telephone exchanges, etc.
The risks of an unsupported operating system should be obvious: Microsoft will no longer be providing patches for Windows XP so any security vulnerabilities that are discovered in the future will remain permanently unfixable. With such a large number of XP systems still in use, attackers will almost certainly be looking for new vulnerabilities in XP and adjusting their exploit kits to take advantage of them knowing that the exploits will work indefinitely. Even if the remaining XP machines on a network do not provide critical functionality they may still serve as a gateway into the network for an attacker: most network administrators focus their security resources at the perimeter and have very little protection or detection capability internally, attackers have been taking advantage of this for years by compromising workstations (often through malware distributed via phishing emails) and using them to target other more sensitive systems on the name network. Leaving unsupported XP installations in place, whether on servers, workstations, or embedded systems, will provide just such a stepping stone for an attacker to penetrate a network and steal sensitive data.
In addition to the risk concerns there are compliance concerns as well: Any unsupported operating systems detected during an ASV scan results in an automatic failure. Because PCI defines the compliance scope as the systems that directly handle payment card data plus other connected systems (due to the risk of stepping-stone attacks described above) an unsupported XP machine that has nothing to do with card processing could cause this failure merely because it is on the same network.
A common refrain amongst organizations that run older software is that they do not upgrade either because they are concerned about the stability of the system or the cost of the upgrade. While these are valid concerns they should be considered in light of the potential stability impact of an attacker compromising the system with malware in order to use it as a platform to warehouse stolen data, send spam, launch DDoS attacks, and for further attacks within the network, as well as the cost of cleaning up after such a breach. The likelihood of such a compromise will increase by the day as vulnerabilities are identified and disseminated and it is unlikely that any objective risk assessment would conclude that keeping the unsupported operating system in place is the safest and least costly course of action.
NTT Com Security can help our clients identify XP machines on their network through scanning: When provided with access credentials our tools can connect to systems on the network and accurately identify the operating system. Fingerprinting techniques can help to identify systems that can’t be logged into (such as Unix systems with unique passwords) and flag potential unsupported installations for follow-up investigation. Additionally NTT Com Security can help design security controls to help protect existing XP systems while replacements are designed, procured, and tested.
The end of XP support will likely affect every one of our clients if it hasn’t already. Lets see what we can do to help smooth the transition and make sure there are no surprises left behind.
The risks of an unsupported operating system should be obvious: Microsoft will no longer be providing patches for Windows XP so any security vulnerabilities that are discovered in the future will remain permanently unfixable. With such a large number of XP systems still in use, attackers will almost certainly be looking for new vulnerabilities in XP and adjusting their exploit kits to take advantage of them knowing that the exploits will work indefinitely. Even if the remaining XP machines on a network do not provide critical functionality they may still serve as a gateway into the network for an attacker: most network administrators focus their security resources at the perimeter and have very little protection or detection capability internally, attackers have been taking advantage of this for years by compromising workstations (often through malware distributed via phishing emails) and using them to target other more sensitive systems on the name network. Leaving unsupported XP installations in place, whether on servers, workstations, or embedded systems, will provide just such a stepping stone for an attacker to penetrate a network and steal sensitive data.
In addition to the risk concerns there are compliance concerns as well: Any unsupported operating systems detected during an ASV scan results in an automatic failure. Because PCI defines the compliance scope as the systems that directly handle payment card data plus other connected systems (due to the risk of stepping-stone attacks described above) an unsupported XP machine that has nothing to do with card processing could cause this failure merely because it is on the same network.
A common refrain amongst organizations that run older software is that they do not upgrade either because they are concerned about the stability of the system or the cost of the upgrade. While these are valid concerns they should be considered in light of the potential stability impact of an attacker compromising the system with malware in order to use it as a platform to warehouse stolen data, send spam, launch DDoS attacks, and for further attacks within the network, as well as the cost of cleaning up after such a breach. The likelihood of such a compromise will increase by the day as vulnerabilities are identified and disseminated and it is unlikely that any objective risk assessment would conclude that keeping the unsupported operating system in place is the safest and least costly course of action.
NTT Com Security can help our clients identify XP machines on their network through scanning: When provided with access credentials our tools can connect to systems on the network and accurately identify the operating system. Fingerprinting techniques can help to identify systems that can’t be logged into (such as Unix systems with unique passwords) and flag potential unsupported installations for follow-up investigation. Additionally NTT Com Security can help design security controls to help protect existing XP systems while replacements are designed, procured, and tested.
The end of XP support will likely affect every one of our clients if it hasn’t already. Lets see what we can do to help smooth the transition and make sure there are no surprises left behind.