This is the first of a two-part blog focused specifically on Windows XP end-of-life.
When Microsoft announced their decision to End-of-Life Windows XP on April 8th, 2014, it caused quite the media stir, and continues to as we reach that date. I decided to sit down with our Director of Sales Engineering, Tom D’Aquino, to talk about what exactly this means for people who are using Windows XP after April 8th. Tom has been on the front lines of security issues like this for years, and has some useful insights and perspectives on the XP situation.
JIM: Tom, why is Windows XP end-of-life such a big deal? If Microsoft stops patching and upgrading XP, what are the real implications of this from a security perspective?
TOM: So, there are a couple of things to consider here, and the biggest is that there are literally hundreds of thousands of XP machines deployed around the world – it’s probably in the millions by now. The significance of this is that the upgrade process can be a bit cumbersome, especially for end users that don’t have a substantial amount of computer savvy or computer expertise, and there’s a limited number of IT resources, especially in the majority of companies in that small-to-medium enterprise space that have to touch every PC that needs to be upgraded. So the implications are pretty significant.
The issue here is that, as systems like Windows XP go end-of-life and we stop patching them – when the upgrades, service packs and security patches are no longer available – they become less secure. People are going to be exposed to an evolving threat landscape, and the more vulnerabilities that exist in an operating system, the more opportunity there is for an attacker to take advantage of that system and use it for whatever nefarious deeds they’re intending to carry out once they get into that system. So there’s really a lot of risk, and we’re talking about a product from Microsoft that has a massive footprint; we really have to deal with a ton of systems that potentially need to be upgraded, and it’s a monumental effort.
JIM: You bring up an interesting point, which is when you look at even just the number of point of sale systems out there that are running some version of Windows XP, it’s somewhere in the millions. Around 1.9, almost 2 million point-of-sale systems alone are running Windows XP. Then you look at the ATMs that you see here, at least in the U.S., and something in the order of about 95% of them are also running Windows XP. And that’s not even including the IT side of how various organizations are using Windows XP.
I’m wondering – do you think most IT pros have a good handle on if and where they actually have these XP machines?
TOM: It really depends on the organization. Some companies rely on an application that’s got them wedded to a particular operating system, maybe because the application hasn’t been developed further to support newer desktop or workstation operating systems. The net effect of this is that, as an operating system comes to end-of-life, these organizations are essentially stuck with using something that’s out of date, and potentially extremely vulnerable. This scenario is a good example of an organization where, even if they do have visibility into the systems that they have in place, it doesn’t matter – they can’t really do anything about it, so they’re kind of stuck.
Then you’ve got those other organizations that have a lot of disbursed field users on a particular OS, and it becomes really difficult to track specifically what operating systems those users are running, and how up-to-date they are. So in a scenario where an organization is heavily distributed in terms of its work force, it becomes very difficult to track whether we’ve got a machine that’s possibly running an end-of-life operating system.
There are a number of ways you can manage this kind of issue, especially in USM. We’ve got a passive inventory mechanism that allows us to identify systems as they come onto a network and start communicating, so we don’t need agents on the remote system, we can just look at the network communications and figure out what the operating system of a host is. So any time a field user logs in through the VPN and jumps onto the network, we’re able to see that communication and figure out, “Hey, you’ve got an XP machine that’s still alive out there in the field,” and we can report on that.
I think the ‘mom and pop’ retail shops – many of which are running a desktop operating system, or their point of sale systems directly connected to the Internet, with no security between the device and the Internet – are probably the most at risk, because they have very sensitive data that’s running through their insecure systems and out over the Internet.
JIM: When you think about the organizations that are going to get impacted, how do you think they are reacting to this right now?
TOM: I think it’s kind of like a fire sale, right? Like, “we have to figure out where are these systems that exist in our environment and what are we going to do about them? We’ve got to put a policy in place, and then we’ve got to go chase down these individual systems and get them off our network.” And not every organization is going down this route of thinking -- you’ve got the other side of the coin, where people are just completely unaware of the end-of-life status, or unaware of the systems that are on their network that are putting them at risk. So it kind of runs the gamut from just completely unaware to very alert.
Interestingly enough, those organizations that have full visibility, full awareness, and are putting policies in place to deal with it, they’re not necessarily in any better position than the guys who are unaware, because at the end of the day, it just comes down to how many systems you have on your network, and if you’ve got 10,000 hosts that you’ve got to touch to eliminate this potential risk, that’s a monumental effort that’s going to have to be undertaken to address the problem. So I don’t think awareness is really what gives you the advantage exclusively; it’s a combination of that, and having a good plan in place that is going to allow you to make sure that you’ve got the right security visibility, because patching isn’t the answer in this case. Upgrading may or may not be the answer.
It ultimately all boils down to detection, detection, detection.
JIM: A lot of organizations—small, medium and large—have compliance regulations. Some regulations are a little soft, but when you start looking at things like HIPAA, and the doctor’s offices or other businesses that need to be HIPAA compliant and are potentially running Windows XP, how do these folks handle this end-of-life? What happens, for example, when they find a vulnerability and they can’t patch it? What does that mean for their compliance?
TOM: That’s a great question. There’s a significant amount of attention that has to be applied to making sure that you’re operating within a compliance state, otherwise you get slammed with penalties and fines and all kinds of issues that crop up from non-compliance. We always say around here that being compliant doesn’t necessarily make you secure, but if you can swap that equation and start with a focus on being secure, then you’re probably going to meet your compliance requirements. At the end of the day, vulnerability scanning and asset awareness is a big piece of having security visibility, and they also happen to address a lot of compliance requirements.
If you can, you definitely want to go to the effort of trying to move vulnerable systems out of your environment in order to eliminate risk, but this isn’t a realistic approach in a lot of cases. It’s not something that can be done overnight, right? I think for a majority of auditors, what they really want to see is that you have visibility, and that you have a plan in place. They want to see that you’ve got the understanding that you have this risk, that these XP machines, for example, are on the network, that they are potentially vulnerable, that you’re trying to assess those systems and find out how vulnerable they are, and then that you’re putting a plan in place to address this. Given the fact that service packs and security patches are not going to be available, your path forward really just comes down to eradicating these systems from the environment, and you’ve just got to chip away at it one by one. As long as you’ve got a plan in place, I think your auditor is probably going to be pretty satisfied with that.
“We always say around here that being compliant doesn’t necessarily make you secure, but if you can swap that equation and start with a focus on being secure, then you’re probably going to meet your compliance requirements.” Tom D’Aquino, Director, Sales Engineering, AlienVault
JIM: When you think about the world that we’re about to move into as Windows XP goes into end-of-life, what kind of advice would you have for folks on the frontline, folks that are having to think about this problem and respond to it?
TOM: There are a number of other things you can do. I mean, it’s not all doom and gloom. It’s not like the second you go out on the Internet on a Windows XP machine, you’re going to be instantly infected. But there are certainly some things that you can do to further secure yourself. We’ve got a great blog post up already from another member of our team, Russell Spitler, and he’s gone through a pretty good look at what an organization can do to address some best practices in their organization, which is extremely useful. The thing is, this is going to be an ongoing challenge, right? This year, it’s Windows XP. In case you didn’t know, Windows XP is basically the same underlying operating system as Windows Server 2003, and Windows Server 2003 end-of-life is coming next year.
So this year it’s XP, next year it’s Server 2003. This is an ongoing challenge, and the way we deal with it is by having a good plan that includes having good awareness, good visibility, and then being prepared for the end-of-life that’s coming. On the workstation side, on your desktops, there are a number of other things that you can do there. Making sure that you’re using an up to date web browser that is as protected, or as secure and vulnerability-free as it can be, keeping your extensions or plugins to that web browser up to date as much as possible. For your Adobe Flash, Java, things like that, make sure that they’re up to date and monitor your network to identify systems that might be accessing the Internet and that aren’t up to date.
In USM, we’ve got hooks built in to identify web browsers, for example, that are using an old version of Internet explorer, or an old version of Adobe Flash or Java, so we can detect vulnerable versions of Java just by watching the network communications and seeing a web request going out. Getting visibility at this level is really useful.
JIM: That sounds good, Tom. As you take a look at this situation with Microsoft, like any other software company, they certainly have the right to decide when they want to end of service, or end-of-life one of their products. This isn’t the first time, nor is it the last time that we’re going to be facing this particular situation, especially as security issues become more top of mind for organizations who are looking to do a better job of securing their infrastructure, not just trying to meet the basics of what a compliance regulation may tell them. You know, this is an opportunity for them to really take a step back and rethink how they’re providing security to their organization, and how they’re protecting the information and the assets that they have internal to the company.
TOM: Yeah, that’s right. At the end of the day, progress marches on, right?
In the next blog post, we’ll address specifically how AlienVault’s Unified Security Management platform and Open Threat Exchange can be used to help address the security challenges that can be expected with the Windows XP end-of-life. Even if you’re not in a position to purchase products to deal with this, our open source SIEM, OSSIM, and free trial USM product can help in the weeks immediately following XP end-of-life. There are free OTX services that can help as well.
Join us for the webinar “Cover your Assets: How to Limit the Risk of Attack on your XP Assets” to learn more about handling Windows XP end-of-life in your organization.