Despite Microsoft’s declaration of End-of-Life for Windows XP on April 8, 2014, loyal users are slow to part with their beloved OS and are not ready to “bring out their dead” operating system.
During the month of April, Windows XP still retains a 26.3 percent share of all desktop OS Web traffic as monitored by Net Applications and shown in the pie chart below. That number is down from the 27.7 percent share recorded for March. At this slow rate of abandonment, it looks like Windows XP is far from losing its commanding position as the second most popular desktop operating system according to these Net Application statistics.
One interesting phenomenon is that despite the persistent widespread usage of Windows XP, we haven’t seen the expected headlines about the bad guys wreaking havoc on those who are still running Windows XP.
David Attard, GFI WebMonitor Product Manager, has some interesting insights on this in his blog “Windows XP – where have all the bad guys gone?” with excerpts as follows:
Surely, the bad guys haven’t just disappeared or given up on XP?
The real opportunity for hackers will be the May updates. When these come out, anything affecting Vista/7/8/2008/2012/Server 2003 will likely be tested on XP by malicious people. If it is, it will be open and vulnerable for the bad guys to reverse engineer.
It’s not only the operating system you have to think about, but older applications that only run on XP. These may also be out of support now and could be vulnerable also – if not today, in months to come.
It’s our job to plan for the worst case scenario. Hearing nothing doesn’t mean it’s not happening. For those of you with kids, sometimes the quietest times are when you worry most!
It’s not in the hackers’ interests for us to know they are already there. They would far rather remain in stealth mode for as long as possible, stealing what they can, while we don’t know about it.
David also offers the following advice:
So what can you do?
Suggesting an upgrade to a newer operating system is a given – but of course if you haven’t done that yet, it’s probably for good reason. Typically, the strongest reason being that some legacy systems are too costly to upgrade or are simply not supported.
So if you are still stuck using XP how can you minimize the risks for your business?
Step 1 – Make an inventory of all your IT assets
First and foremost you should know exactly how many Windows XP machines are still out there so you know which areas of your network are the weak spots.
Step 2 – Plan an upgrade path
Where possible, despite the reasons for not upgrading, you should still have a firm plan for upgrading from Windows XP to a later operating system, at a time that works best for you and the business.
Step 3 – Disconnect the XPs from the Internet / email
Definitely the strongest security risk is presented by users browsing the internet or opening emails on vulnerable XP machines. If you still need to use XP, make sure that these machines are not able to connect / browse the Internet.
Step 4 – Install multiple protection mechanisms
If despite everything, your XP machines still need to be connected to the Internet – it is highly recommended that multiple protection mechanisms are put into place. Definitely a good antivirus should be your first consideration.
Patch management to ensure that the operating system and no other software is vulnerable on a machine should also be installed. A good web filtering software or agent should be installed such that users are protected from visiting any malicious websites.
Step 5 – Always remember to educate
Education is a must. You will find that employees do not want their machine infected by malware. In many cases they are simply unaware of the risks as a result of the many essential tools in use today.
Need a more compelling reason to replace Windows XP? Does your business need to meet industry compliance requirements for security? If so running an operating system that is no longer supported is by definition non-compliant as discussed in this blog post by TBG Security: Compliance: Why You Can’t Afford To Stay With Windows XP
In general, regulatory and industry compliance frameworks like PCI-DSS, Sarbanes-Oxley (SOX), Health Insurance Portability and Accessibility Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) don’t call out specific platforms or tools. Compliance requirements are typically written as broad guidelines to provide a baseline for security and data protection without endorsing any specific solution or painting the compliance framework into a corner using technology that might be obsolete next year.
Some requirements might simply specify that the operating system must have the most current patches applied. One could make an argument that as long as any updates for Windows XP up through April 8 have been installed, that this requirement is met, because those would be the “most current” patches available. Such an argument clearly violates the spirit of compliance, even if it doesn’t explicitly violate the letter of the rules.
Tyler Reguly, security research manager for Tripwire, points out that there is no such gray area, however, for PCI-DSS. The PCI-DSS Approved Scanning Vendors (ASV) Program Guide specifies on page 18: “The ASV scan solution must be able to verify that the operating system is patched for known exploits. The ASV scan solution must also be able to determine the version of the operating system and whether it is a version no longer supported by the vendor, in which case it must be marked as an automatic failure by the ASV.”
Need help migrating to a new OS? Need end user help desk to support your employees through these transitions?
Want to keep running Windows XP in a virtual environment isolated from the Internet and security risks?
EarthLink Business can help, visit our Windows XP alternatives site.