Organizations in all sectors should take steps now to avoid security and operational risks associated with Microsoft's plans to discontinue support of the Windows XP operating system next year, security experts say.
On Oct. 7, the Federal Financial Institutions Examination Council warned banks and credit unions in an XP alert to prepare now to avoid potential problems with computer systems, servers and devices, such as ATMs and point-of-sale terminals, that run XP.
But the issue is critical to all sectors, says Richard Edwards, a principal analyst at the consultancy Ovum. There is justified concern that after April 8, 2014, when Microsoft stops supporting XP, organizations running the operating system could be targeted by hackers using unforeseen exploits, he says. That's because Microsoft will no longer be issuing updates and security patches to address XP vulnerabilities.
Security experts say once support for XP ends, hackers' black-market asking price for a zero-day exploit will easily double. In fact, zero-day exploits can easily net between $30,000 and $150,000, they say.
Some 70 percent of business PCs running XP have successfully transitioned to Windows 7, according to Ovum's research. Microsoft is now making a concerted effort to help small and medium-sized businesses make the move to newer PC platforms as well, he explains.
Organizations that don't upgrade their operating systems before April 2014 will have to come up with their own mitigation strategies.
"With end of life coming in less than six months for Windows XP, it's critical that financial services companies get ready now to upgrade," says financial fraud expert and Gartner analyst Avivah Litan. "Otherwise, the criminals will have a field day exploiting XP vulnerabilities after April 8, 2014, when patches will be lacking. The banks already have enough attack vectors to defend against - they don't need any additional headaches that can be easily avoided."
Compliance with security mandates, such as the Payment Card Industry Data Security Standard, also could be an issue when Microsoft drops its support for XP, regulators say.
"After [April 8, 2014], Microsoft will no longer provide regular security patches, technical assistance or support for XP," the FFIEC says in its alert. "Financial institutions, TSPs [third-party service providers] and other third parties that use XP in personal computers, servers, and purpose-built devices such as automated teller machines (ATM), or that are dependent on applications that require use of XP, could be exposed to increased operational risk."
The FFIEC notes that failing to update operating systems could result in application incompatibilities and increased risk for data theft and/or unauthorized additions, deletions and changes to data. It also could adversely impact the delivery of financial products and services, regulators point out.
The council recommends banking institutions follow guidance outlined in the FFIEC Information Technology Examination Handbook, highlighting the need for:
- Ongoing risk assessments to identify and measure risks that could result from the continued use of XP throughout the organization and at third parties;
- Considering the impact on business continuity and disaster recovery;
- Considering compatibility with other systems and applications, as well as costs and new risks;
- Developing an implementation plan to prioritize changes and monitor related third parties' mitigation and migration activities;
- Monitoring risk and ensuring the effectiveness of controls is tested periodically with results reported to senior management or the board of directors.
Upgrading Delivery Channels
For banking institutions, potential security vulnerabilities will be a growing concern, especially for ATMs, one card fraud executive with a leading institution, who asked not to be named, says.
"I can only tell you that assessment across our environments is in progress now, and where we have impact we intend to remediate either by conversion to other platforms, i.e. [Windows] 7, or by adding other layered controls as an interim measure pending the upgrade," the executive says. "There are multiple changes occurring, specifically in the ATM environments of many FIs [financial institutions] fairly simultaneously, including, but not limited to, new anti-skimming tools, EMV and the Windows change. There's a bit of juggling at these banks to assess the risks and rewards of the changes in order to properly prioritize them."
Amichai Shulman, chief technology officer of security firm Imperva, says organizations must balance security and operational risks within their risk management strategies, especially when it comes to determining whether upgrading legacy platforms and systems is worthwhile.
"Sometimes the operational risk is higher and organizations must find an alternative method, a work-around, for mitigating the security risk," Shulman says. "Legacy, fat client applications, even ATMs, may still use XP. Odds are that these systems were not ported due to the cost of getting on top of legacy code and rigorous testing of some mission-critical applications."
In the healthcare arena, many electronic health record systems still run on XP and can't just be unplugged for an upgrade, notes a healthcare information-security executive who asked not to be named. "They are critical systems, or are running proprietary applications that require Internet Explorer 6 or cannot work in the newer Win7, 8 or Vista [operating systems]," the executive says. "If that is the case, you should be considering virtual desktop infrastructure to run just that proprietary application, while upgrading the rest of the desktop."
Gartner's Litan, however, says banking institutions will have to transition to Windows 7 or 8 to ensure security and regulatory compliance.
"It's always a technical hassle to upgrade computer operating systems but it's a 'must do' top of the list item for banks and other companies accepting or processing sensitive financial information," Litan says. "It's just basic housekeeping and one of those thankless chores that has to get done."
Al Pascual, a financial fraud expert and senior analyst for Javelin Strategy & Research, says organizations that don't upgrade their systems can expect breaches because of the end of automatic XP patches from Microsoft.
"Any vulnerabilities that were discovered would need to be patched machine by machine, potentially leaving devices exposed for far longer than is typical today. Imagine what that could mean when a new type of malware that gleans payment card data hits Wintel POS terminals running XP. It would most certainly affect compliance with PCI, as maintaining data security would become an unrealistic, almost herculean effort for those still running the decade-old OS."
(Technology editor Fahmida Rashid contributed to this story.)