The Windows XP Zombie Apocalypse
The countdown is finally over for those looking for extended life support for XP (unless they've inked a deal). But are they still secure?
Indeed, many vendors have already committed to continued support for Windows XP as a platform upon which their products will run, which sounds a lot more reassuring than it actually is in real world terms.
The start and finish of such 'protection' is really just your web browser and email client targeted stuff, whereas the start and finish of the XP security argument has to be the not so small matter of the first time someone exploits a low-level OS vulnerability which enables them to circumvent any such AV defence.
At the very least, then, enterprises with XP devices still operating need to limit the use of browsing or email (preferably to zero) while locking those machines down to running specific 'safe' software as far as possible. Filter any traffic going to and from an XP device more aggressively, and up your monitoring of these devices. Isolate XP instances where possible, use whatever network security resources you have to up the inspection of them, and even consider running your instances of XP on Virtual Machines.
All of this is good advice, but it's still akin to placing a sticking plaster on a gangrene infected leg. The only real solution is amputation. It's not too giant a leap of the imagination though. There are plenty of IT security professionals out there supporting this scenario to suggest that the bad guys are already sitting on a XP zero-day or two just waiting for security updates to expire before using it in the wild.
Some people point to nothing much having happened when Windows 2000 reached end of life status, back in 2010, and others point further back in time to the end of life of Windows 95. However, while the scale of both from the user base was large, more so in the case of Windows 95, the IT security threat landscape was entirely different.
Now that threatscape is both much broader by way of the number of devices that are at risk, and bizarrely also much more targeted by way of the end game. Fewer threats fall into the 'nuisance' category and far more have a payload of monetary gain. Only a fool would argue that the security threats today are not a lot more sophisticated than they were four years ago, and certainly in an entirely different league from 13 years ago when XP burst onto the scene.
The truth of the matter is that XP just isn't as prepared. Despite all the updates and patches, it remains unable at its very core to deal with the kind of threats out there today. Windows upgrades are not just about Microsoft hunting for more revenue (although obviously that's a part of it) but are also about improving the user experience and, most importantly from the perspective of the IT security professional, about bringing ever increasingly advanced security to the OS. Sure, the haters will hate, as they say, but that's fact.
Each point upgrade of Windows has been more secure than its predecessor. XP is so old now that it stands to reason that even if it had not reached end of life, the devices running it would be considered more of a risk, in fact a significantly higher risk, from the security perspective than those running Windows 7 or 8.
Yes, the 'XP Apocalypse' scenario sounds familiar to the 'Y2K Bug Disaster' in some ways. And everyone knows that never actually happened. However, one of the reasons the Y2K bug never materialised is that people were prepared, and took those preparations seriously. The same cannot be said of XP end of life. Plenty of people who should know better have buried their heads in the sand rather than commit the time and money required to move to a supported, and therefore better secured, OS platform.
Advice such as 'ensure any XP machines cannot access the internet via email clients or web browsers' is sound enough, given that most attacks are likely to come from this vector, but better advice is to smell the coffee and migrate away from XP as soon as possible.
In This Article
Application security fallacies and realities
Web application attacks are the most common vulnerability, so what is the truth about application security?Download now
Your first step researching Managed File Transfer
Advice and expertise on researching the right MFT solution for your businessDownload now
The KPIs you should be measuring
How MSPs can measure performance and evaluate their relationships with clientsDownload now
Life in the digital workspace
A guide to technology and the changing concept of workspaceDownload now