April 8, 2014 has come and gone and you may be wondering what all the fuss was about.
After all, the bad guys haven’t come out of hiding, wreaking havoc on those who still have instances of Windows XP running on their networks.
Actually, it’s been quite quiet. Stories of exploits of unpatched and previously unpublished security holes that infiltrated Windows XP haven’t made headlines.
Surely, the bad guys haven’t just disappeared or given up on XP?
And a ruse it certainly was not (we ALL know that XP was a patchy piece of work).
However now we can see the start of things to come, with a zero-day exploit for Internet Explorer identified over the weekend.
And, yes, XP machines with Internet Explorer are vulnerable and there will be no patch for them. Read more.
The real opportunity for hackers will be the May updates. When these come out, anything affecting Vista/7/8/2008/2012/Server 2003 will likely be tested on XP by malicious people. If it is, it will be open and vulnerable for the bad guys to reverse engineer.
It’s not only the operating system you have to think about, but older applications that only run on XP. These may also be out of support now and could be vulnerable also – if not today, in months to come.
It’s our job to plan for the worst case scenario. Hearing nothing doesn’t mean it’s not happening. For those of you with kids, sometimes the quietest times are when you worry most!
It’s not in the hackers’ interests for us to know they are already there. They would far rather remain in stealth mode for as long as possible, stealing what they can, while we don’t know about it.
Your weakest link?
Product lifetimes are usually around two years, yet Windows XP has been around since 2001. During its lifetime there has been a fundamental shift in the malware industry – and XP was not well equipped to deal with the new types of malware which the new security industry had to face.
The aging operating system was not written with a strong security focus and it became a weak link in the security chain with many exploits targeting it specifically.
Now that Microsoft has stopped supporting patching of Windows XP, the operating system becomes much more vulnerable. Any exploits found in XP will never be fixed leaving it a sitting duck.
So what can you do?
Suggesting an upgrade to a newer operating system is a given – but of course if you haven’t done that yet, it’s probably for good reason.
Typically, the strongest reason being that some legacy systems are too costly to upgrade or are simply not supported. So if you are still stuck using XP how can you minimise the risks for your business?
Step 1 – Make an inventory of all your IT assets
First and foremost you should know exactly how many Windows XP machines are still out there so you know which areas of your network are the weak spots.
Step 2 – Plan an upgrade path
Where possible, despite the reasons for not upgrading, you should still have a firm plan for upgrading from Windows XP to a later operating system, at a time that works best for you and the business.
Step 3 – Disconnect the XPs from the Internet / email
Definitely the strongest security risk is presented by users browsing the internet or opening emails on vulnerable XP machines. If you still need to use XP, make sure that these machines are not able to connect / browse the Internet.
You should create a separate “dirty” subnet on your network which does not have Internet connectivity. Moreover, this subnet should have little to no access to your corporate network so that if any malware gets to this network it cannot make the hop to your main network.
Step 4 – Install multiple protection mechanisms
If despite everything, your XP machines still need to be connected to the Internet – it is highly recommended that multiple protection mechanisms are put into place. Definitely a good antivirus should be your first consideration.
Patch management to ensure that the operating system and no other software is vulnerable on a machine should also be installed. A good web filtering software or agent should be installed such that users are protected from visiting any malicious websites.
Users will most likely be accessing email, so these should be sanitised before they reach the employee’s inbox. When all the above have been checked, then employees should be allowed online and browsing kept to a minimum.
Step 5 – Always remember to educate
Education is a must. You will find that employees do not want their machine infected by malware. In many cases they are simply unaware of the risks as a result of the many essential tools in use today.
Explain the risks they run while browsing the web or opening emails. A malware infection is a headache for the IT admin, but it’s definitely not fun for the employee either.
Lightening the load
If you don’t have the right tools in place, basic asset tracking software is a good place to start. It’s a faster way to create an accurate inventory of network and to identify those vulnerable XP machines, even those that are rarely in the office.
With the inventory in hand, you can plan the upgrade to a newer system as well as deploy antivirus, patch management and web protection to mitigate the risks these computers pose to your network.
By David Attard, GFI WebMonitor Product Manager, GFI Software