Microsoft’s decision to switch off all support for Windows XP, some dozen years after it first made its entrance, is a momentous one. Those who have doggedly stuck by this much loved operating system, failing to be enticed into the arms of Vista, Windows 7 and Windows 8, will receive no further free updates or security patches (as of April 8, 2014).
Lots of software goes down the end-of-life path, of course, and disappears into the mists, to be replaced by the latest updates. But, to paraphrase a major retailer’s advertising slogan, ‘This is no ordinary software. This is XP software’ – an OS that, by latest calculations, is still run by something like a quarter to one-third of desktops globally. And waiting in the dark corners for the plug to be pulled have been the cyber criminals, ready to leap in and exploit the situation. In fact, they are thought to have been planning their post-support XP attacks for some time, targeting vulnerabilities that are already known to them, but not yet exploited.
Symantec has pledged to continue to support Windows XP systems for the foreseeable future, but we strongly recommend that enterprises still using Windows XP upgrade to a more current operating system as soon as possible and protect it with a robust security solution. Because it isn’t just desktop users that should be bracing themselves for a backlash. In the age of industrial IT (bespoke systems) and the ‘Internet of Things’ (eg, kiosks), Windows XP and XP Embedded are to be found everywhere. For example, many of the world's cash machines are thought to be still running Windows XP (it is still running on 95% of ATMs worldwide, Reuters) while the OS is at the heart of countless numbers of industrial control systems (ICS). Moreover, many of these systems are critical – for instance, part of a manufacturing plant (eg, a robot control system) – and cannot be touched with updates anyway. So, even if the underlying operating system is supported and had a patch available, the chances are that the organisation wouldn’t be able to perform the update for extended periods of time.
Against this backdrop, how can organisations keep themselves safe? One favoured means of testing for potential vulnerabilities is to rely on either a ‘denylist’ or ‘allow list’ approach. With the former, you put together a list of all the perceived ‘negative’ or ‘bad’ conditions that might arise and then block anything on that list. With an allow list, you compile a list of all the good conditions and then verify that the input received and the behaviour of the system complies with this.
Which to use? It’s very much a matter of horses for courses. Indeed, they have very different use cases and advantages, depending on circumstance. Allow-listing is a really suitable method to protect highly mobile and fluid environments, such as where laptops are using browsers and downloading plug-ins etc. Here, we are looking at traditional malware detection, with some highly modern techniques, such as reputation filtering and behavioural analysis, that are extremely effective at blocking known and ‘zero day’ type attacks.
However, this is not ideal when you need to keep critical systems up to date with new signature files. In that situation, where its fixed function and updating do not take place on a regular basis, such as a domain name server or cash machine with a very simple function, why not lock that function down? And it is here that allow listing comes very much into its own.
All well and good, but, in the world of ICS, the challenges are even greater. Take an ATM, for example. It was most likely designed five years ago, with its software and control system shipped three years after that. There is only two years of its OS life left, yet it may be out in the field for another three years. Once there, all bets are off. It may experience a vulnerability, but, being a control system, it isn’t acceptable for it to be taken out of service, so they are often left untouched and at the mercy of an exploitation, especially where a patch is no longer available. Similarly, if you are designing a multi-media system for a car, the lead time might be 10 years and much of that Internet-connected technology might be vulnerable to attack, by the time it is out on the road.
The same applies to a vast range of other equipment, such as medical devices. A CAT scanner, for example, is highly vulnerable to attack, as it will be attached to the network. You may seek to introduce critical system protection retrospectively, but that might invalidate any warranty. And the solution? Well, you can do nothing and keep your fingers crossed or go the software manufacturer and buy a special support package for end of life systems, but that can be astronomically expensive.
The most effective – and cheapest – way to stay secure from attack is to be as far left of the incident as possible from the outset by making security is embedded into the very core of the design process and locking that down. You can’t account for everything, but you can dramatically reduce the risk. You also need to look at the supply chain, as that is an easy way in for cyber criminals, where perhaps a critical piece of security is eliminated, compromising the final product.
So, as we say our goodbyes to Windows XP support, it’s worth remembering that this is but one of a multitude of vulnerabilities out there in the field and that, for any organisation, staying safe is also very much about change management – and protecting the organisation from itself.