In case you haven’t heard, Microsoft (News - Alert) is going to deliver its final security update to Windows XP on April 8, before permanently discontinuing support for the platform. Patches for Internet Explorer 8 on Windows XP will also cease to be produced.
In niche industries, legacy software like Windows XP is common - Medical equipment, ATMs, point of sale systems that run businesses and handle credit card data, industrial control systems used by power companies, kiosks, displays in hotels and airports, etc. You would have probably noticed the default Windows XP screen saver on your local restaurant’s computer terminals. Many of these systems will likely remain in use after Microsoft stops providing security patches because of the cost to upgrade and a fear of disrupting business.
As new vulnerabilities are discovered that could allow hackers to gain access, these systems won’t be able to repel attacks. Just how bad is this threat? A few data points will illustrate the severity of not receiving security patches for newly discovered vulnerabilities moving forward
It is possible for technicians to implement defensive measures that mitigate risk as new vulnerabilities are discovered, but that requires an advanced understanding of Windows internals, network security, and sophisticated hacking techniques. Most of the people supporting these niche systems don’t have that level of expertise.
The main concern are the possible future outcomes which could include the theft of cash from ATMs, credit card data theft from point of sale systems, espionage against systems that support our critical infrastructure, extortion, theft of personal information, and disruptive attacks that take systems offline. All these attack outcomes will result in significant losses for the affected victims, both monetary and reputational. As was witnessed in the wake of the Target (News - Alert) security breach in the U.S., there’s a tremendous impact on customer confidence that directly translates into lost profit, lawsuits, and regulatory fines.
The Middle East will witness high profile attacks early this year directly related to the vulnerabilities in Windows XP being exploited. Only then will organizations make it a priority to upgrade equipment. The information security community witnessed the same thing happen when Windows 98 and Windows 2000 were retired.
If your organization still relies on Windows XP, it is strongly recommended that you start planning now to move to either Windows 7 or Windows 8 to avert future problems. If there is unwillingness to upgrade, there are some steps that can be taken to reduce the risk.
Don’t say you haven’t been warned!
Paul Wright is manager of professional services and investigation team, Middle East, India and Africa at AccessData. Paul has extensive experience in the investigation of cybercrime, incident response and IT security, and in this role he is engaged on a daily basis in incident response and forensic investigations, services that helps customers who have been subject of a security breach and those who want to protect themselves from such a breach. Prior to joining AccessData, Paul worked for Verizon (News - Alert) as a forensic and investigation consultant, and prior to that he was within UK law enforcement for 26 years at a local, national and international level and spent the last 10 years of his detective career specializing in Internet, network and computer investigations.