The Met is currently using 27,000 computers running on Windows XP. For the last two years, XP has no longer been supported by Microsoft, opening up security flaws. IT security experts from Lieberman Software and ESET commented below whether using the out of date system is actually a security risk.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Being old doesn’t make a system a security risk. It may seem like a system that’s been around longer may be a more well known target. But it’s also true that those weaknesses have been found and likely patched. If someone has an old system that’s fully patched, well monitored, and protected by good policy and practices, it can be every bit as secure as anything else.
The real danger is the more likely reality that an “if it isn’t broken don’t fix it” attitude may take over. Often “broken” is measured not by how well patched or protected a system is, rather it’s measured by its ability to continue its role in some profitable part of a business’s operations. By that measure, patching the old system may be a risk as you may then have an old system that people don’t have skills to deal with that has changed some behavior stopping it from ticking away as a cog in the machine.
No one stops to ask about the security risk when the big machine stops churning out revenue. The risks posed by the older systems all stem from the same cost versus risk calculations that businesses do every day. It usually takes a high cost breach to tip the scales from cost driven thinking to risk driven thinking – for older systems and everything else.”
Mark James, Security Specialist at ESET:
“Oh the woes of using out of date, insecure operating systems. We often hear people screaming UPDATE! But is it really a problem?.. Yes it is, because of the vulnerabilities that will never ever be patched by Microsoft (MS). If you go out and purchase a Windows 8/10 operating system then MS regardless of what people say will try very hard to keep you safe. They want you to be using the most secure up to date operating system in the world. After all, if it works with no problems then you will most likely stick with it, they don’t want the PR backlash of exploits and vulnerabilities so they will do all they possibly can to keep you safe. But if you’re running Windows XP then any exploits that are found or currently known will stay known and useable for all and sundry to exploit and spread, unchecked. Yes of course you can install internet security and be very careful what emails you open and what web pages you go to but it’s like putting the most expensive locks on your 3ply shed hoping that will keep its contents safe, it won’t!
Updating your operating systems is not all about keeping Microsoft afloat it’s one of the multi layers required in modern day computer security, think of it like the foundations for your nice shiny new house, any builder will tell you how important they are.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.