Sometimes technology evolves in such a way that to continue using outdated versions of a software or program not only puts companies or individuals at a disadvantage – it can actually increase exposure. Such is the case for companies maintaining computers utilizing either Windows XP or Microsoft Office 2003 as April 8, dubbed “Permanent Zero Day,” arrives.
The stark reality of the situation is that any systems or entities relying on these products will from now on be exposed to greater IT infrastructure security risks, as well as potential violations of security compliance standards. Perhaps most importantly, as Microsoft officially terminates its critical security updates for XP, such infrastructures will no longer be offered vendor and manufacturer support, greatly increasing their vulnerability to viruses, spyware, malware and other constantly evolving threats that pose risks to business data and information. In other words, it’s not just a company’s reputation that’s at stake. In addition to appearing antiquated or out of touch, businesses slow to adapt now run the very real, more tangible risk of having their business operations and information assets compromised.
New risks come with old systems
The much-publicized data breach that impacted retail giant Target and its point-of-sale systems this past holiday season hinted at the dangerous potential possessed by today’s sophisticated hackers, who are discovering new vulnerabilities and loopholes on a daily basis – particularly with XP systems and especially now that support will be lifted. Many analysts suspect that XP’s End of Life will only urge such cyber criminals to seek out and exploit new susceptibilities, not to mention continue to take advantage of those who are slow to adjust.
After Permanent Zero Day, the assumption is that old anti-virus software and firewalls for the network will no longer be sufficient to secure data and keep systems safe. Software vendors and manufacturers will cease patching, updating and supporting all XP-compatible software, because they won’t be receiving Windows XP updates. Therein lies the seriousness of the issue for any organization, large or small, that has not yet taken measures for proactive protection.
Businesses required to adhere to federal or other instituted industry standards may have already been forced to update by adopting a new operating system. Microsoft’s technical support for the old systems is no longer in place, meaning security regulations will, in one way or another, enact provisions that effectively make Windows XP non-compliant.
Impact on the health care and financial services industries
Health care systems, hospitals and smaller medical practices are at risk of being deemed non-compliant, per HIPAA regulation laws, if there is a lapse in security features or controls.
The Code of Federal Regulations 164.308 (a) (5) (ii) states that you must implement “procedures for guarding against, detecting and reporting malicious software.”
In other words, installing new security packages and updates is no longer simply a best-practice measure – it is essential. Even one Windows XP computer aligned with a network could be deemed a violation of HIPAA regulations going forward. Moreover, there exists the risk of more serious ramifications if a breach of electronic protected health information (ePHI) were to occur. It’s simply no longer enough to have anti-virus, encryption or firewall protection in place if it is supported only by the old operating system that won’t be receiving patches and therefore no longer protects IT infrastructure from higher-level attacks.
Banks and lenders adjusting their systems are required to follow guidance outlined in the FFIEC Information Technology Examination Handbook. Additionally, the Payment Card Industry Data Security Standards’ Requirement 6.1 states all banks must “Ensure that all system components and software have the latest vendor-supplied security patches installed” and “deploy critical patches within a month of release.”
Any ATMs or point-of-sale systems still running XP will be deemed non-compliant, meaning an estimated 95 percent of cash machines will require compensating controls, according to Bloomberg, in order to meet Payment Card Industry Security Standards Council mandates.
Companies that do still have XP operating systems somewhere in their network can create controls to compensate for the risk, mostly in the form of efforts to reduce their scope. That means preventing such devises from accessing suspicious content that greatly increases exposure to malicious content and heightens the chances for the system’s exploitation. Windows XP and Office 2013 are potentially at risk via email, web browsing, file sharing and removable media, among other avenues. Preventing access to the Internet and email, while debilitating, is the most reliable method for limiting attack threats, at least until systems are fully updated. Businesses with a Microsoft Premier Support agreement can purchase a Custom Support Agreement (CSA), which makes them eligible for automatic updates that guard against critical vulnerabilities and important patches.
There also exist technologies that may allow an organization to continue using a legacy system, applying virtual patches to non-supported environments. But no matter the steps taken to mitigate XP operating system risk, the reality is that Permanent Zero Day has arrived and a certain level of exposure is unavoidable. Security breaches may be inevitable, given that some 30 percent of the desktop market still employs such operating systems, and support from vendors will become increasingly limited as future systems are integrated and threat levels continue to evolve.