Robert Foley CEO Matrix Global Partners

Integrity and stability for business systems running Windows XP are non-negotiable—even without formal Microsoft support, hotfixes and the infamous Patch Tuesdays security must be addressed.

By now nearly everyone is aware that Microsoft dropped all support for Windows XP. The lack of enhancements and new features is acceptable in a product as old as WIN XP and will not impact regular PC usefulness. However, the lack of security patches in a product like XP that has proven to be quite vulnerable has put many organizations in significant jeopardy.

For a variety of business and technical reasons, millions of organizations worldwide are continuing to use XP PCs and must find a way to operate them securely. These organizations are facing operational risk – the XP PC operating system itself is now vulnerable to ever increasing attacks and also most, if not all, of the applications running on XP PCs may also stop being patched by their manufacturer further increasing the security vulnerability of the XP PC.

Also, a significant percentage of organizations that are still using XP PCs must maintain regulatory certifications such as PCI DSS, HIPPA, GLB, etc. The lack of security patches and the dropping of support by Microsoft means, de facto, that an organization can no longer keep their certifications unless adequate compensating controls are put in place.

The challenge with not migrating comes in the form of keeping the XP-based systems up-and-running properly—and the data they host, safe. As has been defined as a best practice for years, a fully-patched OS and patched software are essential components in keeping systems protected, stable, and supporting the business. 

Lack of support from Microsoft really means “no more Patch Tuesdays,” which in reality means zero-day attacks will be easier to create, use and/or be sold on the black market and exploited. No doubt, hackers and cyber criminals will seek out these systems, knowing they exist and are soft, squishy targets. Their capability to take over these XP systems, once discovered on the network, could be one of the easiest ways into an organization.

Already, when Microsoft issues a security update, both malware writers and security researchers begin to reverse-engineer the patch to identify the section of code that contains the vulnerability addressed by the update such that they can subsequently attempt to develop new code that allows them to exploit the now-known vulnerability on other systems that do not have the patch installed.

Once malware writers have this information from a newly-patched version of Windows Vista, Windows 7 or Windows 8, they can re-purpose it to see if the same buggy code resides in Windows XP. Chances are security updates that apply to these other versions of Windows could also apply to a now un-patchable Windows XP system.

As of the first quarter of calendar year 2014, NIST.gov published 966 network exploitable vulnerabilities affecting Windows XP. Even more frightening is the prospect that hackers are holding on to their findings, perhaps waiting to unleash them all at once now that XP has gone end of life (EOL).

Your organization may choose to migrate, obtain a Custom Support Agreement (CSA) from Microsoft, whitelist your applications, harden the system/lock down the OS, isolate XP by moving applications to a datacenter, virtualize the OS and/or application(s), or take advantage of new solutions coming onto the market that fill the gap of Patch Tuesday.

Regardless of the risks assumed with respect to keeping the business up-and-running, companies still have an ethical duty to protect their client information—if not your own intellectual property (IP) and other sensitive business data.

For more on this topic, see http://www.matrixgp.com/Files/StormShield/ExtendedXP%20Whitepaper-July2014.pdf