A lull in the rate at which new exploits for Windows XP are being released has many in the security community convinced that hackers are stockpiling exploits for a mass attack on remaining XP-based computers once Microsoft discontinues support for the operating system on April 8.
The looming threat has companies at all different points on the crisis severity scale, according to Dimension Data national security manager Jason Ha, who says he has seen some companies aggressively moving off of the platform, others shelling out significant fees to buy Microsoft's optional ongoing support, and others simply hoping for the best.
“This is like Y2K all over again,” Ha told CSO Australia. “There are some who have done active assessments, understood where their exposure is, where they still have an XP fleet and are going to manage the exposure. Then there are those who say 'I don't have a lot of time to really do anything, haven't prepared any budget or business case to put anything in place, and so let's just see what happens'.”
This “pray and hope philosophy” could backfire if hackers do indeed take advantage of what Ha, who said he is “not a big fan of promoting FUD”, believes is likely to be a time of reckoning for those organisations still using Windows XP.
“In security we never know when the next incident is around the corner,” he said, “but it's rare to be facing something as potentially cataclysmic as we're facing from an XP perspective. You definitely get the feeling that there are a lot of would-be attackers holding onto a lot of unpublished vulnerabilities to release at that time.”
The pervasiveness of XP – which is installed not only in high-visibility and well-managed desktop PCs but is often embedded in a range of 'black box' devices – magnifies the risk of even a few unpatched vulnerabilities to the average organisation.
That doesn't mean organisations are powerless against the potential onslaught, however. Ha recommends that companies that are going to have Windows XP systems in place after the April 8 deadline take three steps to minimise their potential losses by ensuring that their network environments are secure.
“In that school of thought, they should turn to security organisations to try to implement what are classified as compensatory controls,” he explained. “It doesn't necessarily mean they need to buy anything new.”
The three controls include securing the channel – the communications between XP and the outside world – as well as securing the system, and the rights to the system.
Securing the channel involves ensuring that secure gateways are in place to protect against incursions from the outside world, and watching incoming and outgoing traffic for suspicious activities or signatures.
Since Microsoft will no longer be patching Windows XP, the idea of securing the system includes 'virtual patching' – relying on security updates from third parties that can fix the same issues.
“Just because Microsoft aren't going to release a patch for a certain vulnerability that exists, doesn't mean a security vendor isn't going to release a patch for their own product that will stop it,” Ha explained. “If you can do that on the network and are using something like a network intrusion appliance, it can apply protection on the network to stop attacks coming in.
Finally, the idea of restricting rights offers an additional layer of protection “so the malware can't do what it wants to do,” Ha said. “There are technical and process ways of doing that.”
“It comes down to how an organisation is structured,” he continued. “For example, a lot of systems administrators have given users administrator rights. If you have a way of restricting that, then users only have access to do what they need to do from a day job perspective. If they get hit by malware, the damage that can then be done by that would be minimal.”
Although caution is of course prudent in the leadup to April 8, Ha is careful to point out that expectations about hackers' behaviour after that day are still just predictions. There might be no obvious difference at all, or there might be a flood of attacks as malware-as-a-service networks unleash previously unknown exploits in their dozens.
“There will probably be some initial testing, and it will build up to something more significant,” He explained. “Especially the way attackers work today: while most organisations are still struggling with the concept of moving to the cloud, the hackers did that ages ago. You never know when the next incident is around the corner.”