The risks of sticking with Windows XP

Windows XP is just a few short weeks away from coming out of support from Microsoft. And that means no more updates for security vulnerabilities. So, what's that mean for businesses? Can they just carry on as if nothing has changed or will retaining Microsoft's most popular OS create new risks for the enterprise?

"There are security risks. It has been widely reported that some attacks are being stockpiled to the lead up to XP going out," said Joe Sweeney, an Advisor with IBRS.

Gartner Analyst Nik Simpson added "The risk of security breaches on systems running Windows XP beyond April 2014 is high. Malware developers are almost certainly saving Windows XP exploits until the end of life (EOL) deadline to make them more effective. In addition, malware developers will use future patches issued for later Windows operating systems as a "road map" for discovering exploitable holes in Windows XP. Therefore, maintaining security of Windows XP once Microsoft stops issuing security patches will be challenging".

"As a result those businesses that retain Windows XP will have a system that will be only able to be secured through third party solutions. The decision by many vendors of antivirus and anti-malware packages — including Microsoft — to continue support for Windows XP beyond 2014 should not be seen as an excuse to avoid migration from Windows XP," said Simpson.  

Sweeney said "As a result vendors will be able to charge what they want. In short, yes, it's an increased risk, the real risk is that the cost of maintaining that XP resource will increase dramatically. If you think that the cost of running Xp will stay the same – you're fooling yourself".

Sandeep Joshi, the Country Leader for Australia-New Zealand and Oceania at Dell SonicWALL said that "XP is vulnerable and it has been targeted by malicious attackers for a long time. Since it is coming to end of support it is definitely a more vulnerable target.

His advice is to migrate to an updated operating systems that is fully supported.

Dell SonicWALL's recent security report found that Windows XP was one of the top 15 affected products in 2013 and they expect that it will continue to realise a surge of attacks as its support life cycle is ending in 2014.

Simpson said "Leaving Windows XP unsupported will expose the company to growing risk as the number and severity of security exploits grow, and continued support from Microsoft will be costly. The number of serious security exploits for Windows XP is likely to increase rapidly as soon as Microsoft stops delivering security updates. Therefore, organisations should start the migration process as soon as possible".

Sweeney told us that there are three circumstances under which retaining XP might be an option. The first is simple inertia – IT departments have been lax in their preparations and aren’t prepared for the change. But there are some more valid reasons.

Read more: Dispelling Common Myths Surrounding UTM

"There are situations where you are locked into using XP. There's command and control equipment, or scientific equipment, that is locked to the hardware that can only run XP. In those cases, XP really needs to be considered like XP Embedded. When that piece of equipment fails it's a single point of failure– that's a very different problem," said Sweeney.

This highlights another element of the risk associated with retaining Windows XP systems. If an application requires specific hardware that can only operate with Windows XP then businesses will be caught in a situation where they may not be able to run critical applications.

The third case is legacy applications according to Sweeney. "The way that MSFT has allowed you to deal with this in the past has been to downgrade to XP and use virtualisation," he said. "There's now no way to do that unless you're under Software Assurance".

Businesses in this position will find that their licensing costs will increase significantly as they will require both Software Assurance and virtualisation.

"Anybody who is currently running legacy applications and thinking that they can simply downgrade to XP without Software Assurance is out of compliance with Microsoft licensing. Being out of compliance is a serious risk," said Sweeney.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityIBRSsecurity vulnerabilitiesDell SonicWallanti-malwareSandeep Joshiantiviruswindows xpGartner

More about DellDell SonicWALLGartnerIBRSLeaderMicrosoftSonicWall

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place