|July 19, 2014|
Previously published on July 15, 2014
Microsoft officially ended support for Windows XP in April 2014, but not everyone has made the decision to upgrade their operating systems. By choosing to stick with Windows XP, users may be leaving themselves vulnerable to security risks that would not be present if a different operating system were used. There are serious implications for businesses operating on the Windows XP platform, particularly when sensitive information, such as customers’ credit card information, personal information or even company trade secrets, is being stored on these machines.
Certainly, companies have their reasons for not upgrading, including cost and lack of compatibility of programs that have been used for years with newer operating systems such as Windows 7 or Windows 8. The risks of not upgrading may not be self-evident because Windows XP will continue to function as it has in the past. However, users will no longer receive security updates for vulnerabilities in Windows XP. Even more concerning is that cyber criminals have reportedly developed ways to exploit Windows XP vulnerabilities, saving them for when security patches are no longer being developed and deployed.
Another important consideration is the impact the Windows XP end of life will have on embedded systems used in point-of-sale (POS) systems. Microsoft has extended support on Windows XP Embedded for POS systems until 2016, but support for Windows XP Professional for embedded systems expired in April. Some merchants may be unaware that their POS system is running XP and could unknowingly expose customer payment card data to malware, especially as the number of attacks on retailers increases.
Vulnerability, Stopgaps and Noncompliance
Additionally, operating a single Windows XP machine can leave a business vulnerable to a breach. As the saying goes, “a chain is only as strong as the weakest link” and even a single Windows XP machine could provide a potential intruder with a window into your network environment, and that computer can serve as a pivot point for an attack on other systems.
Although upgrading is recommended by many, there are certain stopgaps, such as application white-listing, monitoring and profiling of activity, multifactor authentication and web application fire walls, that can increase protection and help to improve security. Where Windows XP machines exist, segmenting them from the rest of the network would restrict their ability to communicate with any other devices in the network, except other Windows XP machines and the router. This would enable quick containment of any attacks exploiting the vulnerabilities in Windows XP onto those machines. Simply using a browser other than Internet Explorer, such as FireFox or Chrome, may also aid in securing a computer, as those browsers will presumably continue to be updated.
Even with stopgaps in place, there is the potential that continuing to use Windows XP may result in businesses’ noncompliance with regulatory standards such as HIPAA, HITECH, PCI DSS, FISMA, GLBA, SOX, and ISO 27001, which require organizations to monitor their networks in real time, ensure high levels of security and provide network compliance audit reports to auditors on demand. Noncompliance means spending a lot of money and time upgrading systems and covering the increased cost of future compliance.
Of course, the safest course may be to upgrade from Windows XP if at all possible. The short-term savings of not doing so could be substantially outweighed by the costs of responding to a data breach, responding to regulatory investigations or defending a lawsuit.