Start Isolating Critical XP Systems Now, Experts Say

Problem of no more updates after April 8, 2014 becomes complicated for companies, retailers running specialty software dependent on XP.

Microsoft Windows XP

Organizations that still need to use Windows XP after Microsoft pulls the support plug in eight months should spend the time they have left isolating software running on the aged OS.

[ Windows XP's Retirement Will be Hacker Heaven ]

With no security patches forthcoming after April 8, 2014, cybercriminals are expected to head into overdrive in releasing exploits of zero-day vulnerabilities discovered and sold for big bucks in the underground. Therefore, organizations keeping XP as a primary operating system are painting a big bulls eye on their computers.

"It's really a losing battle," Wolfgang Kandek, chief technology officer for Qualys, told CSOonline.

At the end of this year, IDC predicts roughly a fifth of the world's PCs will be running XP.

"That is the good news, but the bad news is the installed base is concentrated in commercial customers rather than home users, which means an exploit is potentially more damaging," said Al Gillen, an analyst with IDC.

Based on browser usage, Qualys estimates that about 10% of U.S. home users are currently running XP. Such users have little choice but to bite the bullet and upgrade to avoid having their systems infected with malware looking to steal credentials to online banking and other websites.

The problem becomes more complicated for organizations running specialty software dependent on XP, said Tyler Reguly, manager for security research and development at Tripwire.

For example, Reguly recently ran across a regional airport in Canada that could not upgrade from XP without breaking critical software. Also, many retailers using XP-based point-of-sale systems cannot afford new equipment.

[Also see: Bromium protects hosted desktops and Windows XP with its Microvisor]

Organizations stuck with XP after Microsoft's deadline should take the OS and the apps it runs off the Internet.

"For those who can't upgrade, they need to look at risk-reduction strategies," said James Lyne, director of technology strategy at Sophos.

Wherever possible, XP and the apps that can't live without it should be on a virtual machine that essentially isolates the software in its own sandbox. Vendors that provide such technology include VMware and Citrix Systems.

"If I have to, I can automatically quarantine that virtual machine to help reduce my risk," said Paul Henry, a security and forensic analyst with Lumension.

The VM platforms can be configured to restrict access to the underlying systems' hard drive and to certain files to prevent infections from spreading. In addition, XP should be stripped of any components not necessary to run the specialized apps.

"When you run older, vulnerable software in these sandboxes, it really does work to help mitigate [the risk]," Reguly said, adding that the technology provides a "really nice platform to lock things down."

For companies with money to burn, Microsoft is offering very expensive custom support for XP. However, at prices ranging from $600,000 to $5 million the first year, depending on the number of systems, it's an option only for desperate enterprises.

"I couldn't afford it," Kandek said.

So isolation will likely be the best strategy for many organizations, which should get started soon, before cybercriminals start releasing their XP-hunting malware.

Sean Bodmer, chief security researcher at CounterTack, has a warning for companies who fail to act. "Once there is no further support for identified, exploitable vulnerabilities, it will be easier for attackers to access data than fishing with dynamite," he said.

This story, "Start Isolating Critical XP Systems Now, Experts Say" was originally published by CSO.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.