There is an increasing amount of noise related to what it means when Microsoft stops releasing security patches for XP. While a lot of this noise is doom and gloom it is also important to look at this from a practical perspective and determine exactly what we can do to see ourselves through this transition safely.
As hard as we try we will not be able to migrate all of our Windows XP machines to Windows 7 (or 8?). Whether it is holdout executives who don’t like change, or creaky business processes that don’t like upgrades, we will still be left with a number of Window XP machines after April 8th, 2014 – that is a cold hard reality. The question now becomes: what does this mean from a security point of view?
Lets first keep in mind what attack vectors we need to protect against.
1) Network Exploits – this is our traditional network worm, which is exploiting a service running on our XP machine. A classic example of this is the conficker worm that targeted a vulnerability in the server service in Windows XP.
2) Browser-based attacks – this is our most common attack, where a user is targeted as they are browsing the web (or are sent a malicious link in an email) and an exploit targeting the browser or an enabled browser plugin is used to compromise the machine.
3) Malicious Email attachments – another favorite, a malicious attachment is sent with an email and an exploit targeting the program configured to read the attachment is used (our most common target here is the PDF viewer)
When we look at these attack vectors we can immediately start breaking down the steps we can take to mitigate the risk, even after we stop getting security updates.
To keep it simple, the steps we recommend are as follows:
1) Limit Inbound Network Access – place the XP machines on a dedicated network segment and limit access by other machines in your environment. Keeping these machines segmented will minimize the chances for these machines to be targeted and exploited. Limiting network access substantially reduces your chance of being targeted and compromised by network exploits. The assets you most need to be concerned about are running your business systems. The point of sale terminals at Target were running Windows XP embedded – cutting them off from the rest of the network would have done a lot! (This mitigates Network Exploits)
2) Use a Non-Administrative Account – the majority of exploits targeting desktop software (web-browsers, java, adobe flash, adobe reader) are mitigated when the user account is a standard user. It is a disruptive task to try and migrate an existing user to a non-administrative account. Instead, try reducing the privileges of your existing user accounts. (This mitigates Browser-based attacks and malicious email attachments)
3) Use a browser with a long-term support plan – if you can’t stop browsing the web from the Windows XP machine, at least use an up-to-date browser. Google Chrome is extending their support until April 2015. If you do choose to browse, please turn off your plugins This mitigates Browser-based attacks
4) Read your email in your browser – using your up-to-date browser, (you are following recommendation 3 right?) leverage your email server’s web front-end and be particularly conservative about the attachments you download and open. (This mitigates Malicious email attachments)
5) Monitor your systems – always check your work! The most important thing is catching an incident before it turns into a problem. Look out for command and control traffic, internal probing, increased network activity and other signs of an infection. Of course AlienVault USM is an excellent choice for this step!
According to the Mayan calendar, the world was going to end in December 2012, and fortunately, it didn’t. With April 8th, 2014 looming like a new end-of-world prediction, there are steps—like the ones above—that can be taken to minimize risk until the (inevitable) migration from Windows XP to something modern and significantly more secure occurs. And seriously… AlienVault’s USM platform is an excellent way to keep an eye on your IT environment. Give it a try for free in that first month after Microsoft withdraws its support from XP, and you’ll never want to be without it again. One thing for sure – you’ll discover it’s not just XP that’s a security issue you need to stay on top of.
Russ Spitler, VP of Product Strategy at AlienVault
