Keeping Windows XP? Revisit your security before 'potentially cataclysmic' April 8

A lull in the rate at which new exploits for Windows XP are being released has many in the security community convinced that hackers are stockpiling exploits for a mass attack on remaining XP-based computers once Microsoft discontinues support for the operating system on April 8.

The looming threat has companies at all different points on the crisis severity scale, according to Dimension Data national security manager Jason Ha, who says he has seen some companies aggressively moving off of the platform, others shelling out significant fees to buy Microsoft's optional ongoing support, and others simply hoping for the best.

“This is like Y2K all over again,” Ha told CSO Australia. “There are some who have done active assessments, understood where their exposure is, where they still have an XP fleet and are going to manage the exposure. Then there are those who say 'I don't have a lot of time to really do anything, haven't prepared any budget or business case to put anything in place, and so let's just see what happens'.”

This “pray and hope philosophy” could backfire if hackers do indeed take advantage of what Ha, who said he is “not a big fan of promoting FUD”, believes is likely to be a time of reckoning for those organisations still using Windows XP.

“In security we never know when the next incident is around the corner,” he said, “but it's rare to be facing something as potentially cataclysmic as we're facing from an XP perspective. You definitely get the feeling that there are a lot of would-be attackers holding onto a lot of unpublished vulnerabilities to release at that time.”

The pervasiveness of XP – which is installed not only in high-visibility and well-managed desktop PCs but is often embedded in a range of 'black box' devices – magnifies the risk of even a few unpatched vulnerabilities to the average organisation.

That doesn't mean organisations are powerless against the potential onslaught, however. Ha recommends that companies that are going to have Windows XP systems in place after the April 8 deadline take three steps to minimise their potential losses by ensuring that their network environments are secure.

“In that school of thought, they should turn to security organisations to try to implement what are classified as compensatory controls,” he explained. “It doesn't necessarily mean they need to buy anything new.”

The three controls include securing the channel – the communications between XP and the outside world – as well as securing the system, and the rights to the system.

Securing the channel involves ensuring that secure gateways are in place to protect against incursions from the outside world, and watching incoming and outgoing traffic for suspicious activities or signatures.

Since Microsoft will no longer be patching Windows XP, the idea of securing the system includes 'virtual patching' – relying on security updates from third parties that can fix the same issues.

“Just because Microsoft aren't going to release a patch for a certain vulnerability that exists, doesn't mean a security vendor isn't going to release a patch for their own product that will stop it,” Ha explained. “If you can do that on the network and are using something like a network intrusion appliance, it can apply protection on the network to stop attacks coming in.

Finally, the idea of restricting rights offers an additional layer of protection “so the malware can't do what it wants to do,” Ha said. “There are technical and process ways of doing that.”

“It comes down to how an organisation is structured,” he continued. “For example, a lot of systems administrators have given users administrator rights. If you have a way of restricting that, then users only have access to do what they need to do from a day job perspective. If they get hit by malware, the damage that can then be done by that would be minimal.”

Although caution is of course prudent in the leadup to April 8, Ha is careful to point out that expectations about hackers' behaviour after that day are still just predictions. There might be no obvious difference at all, or there might be a flood of attacks as malware-as-a-service networks unleash previously unknown exploits in their dozens.

“There will probably be some initial testing, and it will build up to something more significant,” He explained. “Especially the way attackers work today: while most organisations are still struggling with the concept of moving to the cloud, the hackers did that ages ago. You never know when the next incident is around the corner.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags windows xpsecurity

More about CSODimension DataindeedMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts