After April 8, you should be very watchful and wary of ‘security updates’ for Microsoft systems and here’s why: Microsoft ends its support on that date for Windows XP. Timothy Rains, director of trustworthy computing at Microsoft says “the probability of attackers using security updates for Windows 7, 8, and Vista to attack Windows XP is about 100 percent.”
The significance of this long-foretold moment may be felt hardest by the financial, retail, and energy industries as well as government. The majority of ATMs, many Point-of-Sale (POS) systems, lots of systems within our critical infrastructure environments (and certainly our power grid), and a large percentage of government systems are still running this version of Microsoft’s 2001 operating system (in many cases, it’s embedded XP, which Microsoft has committed to supporting a while longer, but some do have regular XP OS in place).
Approximately 40% of PC users still run desktop versions of Windows XP as well. Windows XP has been regarded by many as the best version of Windows ever. As with all Microsoft OS’s, it’s certainly been patched a lot. Check out this list of XP CVEs. And in 2007 people flatly refused to upgrade even though Microsoft tried to move people off of it then.
The good news is (per Microsoft) – there’s a fix! Upgrade to Windows 8.1 – an OS that has been fraught with highly publicized vulnerabilities since it launched. Or, potentially purchase support from Microsoft at a fat price tag. (What are they quoting your organization for individualized XP software support, and how encompassing is it? – I’d love to hear…I’ve heard that support in year two could incur a five-times multiple!)
Here’s the bad news – ATMs are a sweet spot for hackers – and many well-organized groups have hit the news with successful cash grabs, and now they’re about to become an even easier target. Estimates are that 95% of bank ATM machines will be vulnerable to XP hackers after April 8.
The ATM industry is a patchwork of thousands of terminals that range from national banks and their satellite cash locations to individual convenience-store, doughnut shop, beach-side delis, and out-moded ATMs on back roads. It’s difficult to get these systems all upgraded at once, and many machines cannot be updated remotely.
Many may require a complete physical replacement since they can’t be upgraded due to lack of computing power. Aravinda Korala, CEO of ATM software provider KAL, believes only 15 percent of ATMs in the U.S. will be upgraded by April 8. Many banks are paying Microsoft to extend support for XP on cash machines while they make the switch to Windows 7, according to Reuters.
So while it’s not quite the apocalypse, it is going to be a very sketchy period of time for XP users. Hackers will have significant opportunity with XP, and you should ready your organization. Suggestions are that if you can’t securely upgrade before April 8, at least prepare to harden your configurations as much as possible in advance, and definitely step up security awareness within your user environment.
- Attacking the ROI of Advanced Persistent Threats
- Governance: Understanding Where You Are and What is Important
- 4 Clues to Get Executive Support for Information Security
- Dealing With Unrealistic Security Expectations from the Executive Office
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock