Legacy critical infrastructure deployments
Monday October 25th marks the 20th anniversary of Windows XP, the first operating system launched by Microsoft in the 21st century. Codenamed “Neptune” during development, Windows XP was originally just intended for the consumer market. However, an update to Windows 2000 for the business market was scrapped and the two projects merged. Windows XP was launched to great acclaim and received positive reviews for its performance and stability, a more intuitive user interface, improved hardware support, and its expanded multimedia capabilities. It was famed for its green start button and blue task bar.
Whilst Microsoft recently launched Windows 11 (codenamed “Sun Valley”) to much fanfare, several critical PCs still run on Windows XP. In fact, it is thought that 0.6% of the 1.3 billion Windows PCs worldwide still rely on the aging operating system. This is despite Microsoft ending mainstream support for Windows XP back in 2009 followed by extended support in 2014. That means 8 million PCs around the globe are currently out-of-date and unprotected to the latest breed of cyberattacks.
Legacy critical infrastructure deployments
What makes it worse is that these unprotected Windows XP PCs are often in critical infrastructure deployments. For example, a significant number of ATMs still use versions of Windows XP. In fact, at the time of extended support ending in 2014 it was estimated that more than 95% of the three million ATMs in use worldwide were still running on Windows XP.
There are several high-profile examples of legacy systems being hacked since support ended. In 2017, the dangers of running unsupported out-of-date IT systems were illustrated when the notorious WannaCry ransomware tore through the NHS’s outdated systems in a matter of hours. The highly publicized attack caused £92m worth of damage and disrupted a third of all NHS trusts in England. Whilst Microsoft released a posthumous patch to address the vulnerability, it was too late. A year before, the Royal Melbourne Hospital in Australia’s Windows XP network was struck down with the QBot virus. The virus infiltrated major hospital systems, forcing staff to resort to fax or phone to communicate. It took the hospital over two weeks to contain the virus, which mutated up to six times a day.
The need to patch over the cracks
The stark reality is that when it comes to being hit with an attempted cyberattack it is not a question of if, but when. Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. It is particularly prevalent in medium sized businesses (65%), large businesses (64%) and high-income charities (51%). This has meant that the need to fully patch business critical systems has never been higher.
Important patches to newly found security holes continue to be released at unerring regularity. Microsoft releases patches on the second Tuesday of each month, jam packed with security updates. In its most recent “Patch Tuesday” update, the company rolled out security patches to no fewer than 86 loopholes it found in operating systems much more technically advanced than XP.
While antivirus and other endpoint security measures are an important line of defense, effectively applying software updates and patches removes many of the vulnerabilities that cybercriminals target today. However, in these days of remote working, applying such updates can sometimes be difficult. Luckily, help is at hand. By using a multi-platform patch management solution, IT admins can get complete visibility over the patch status of their systems and provide guidance to staff so that they know what to patch and how.
You can’t patch what isn’t there
Effective patching is a critical security precaution for businesses of all sizes. The benefits are numerous. It provides a more secure environment for your staff and helps protect your business from potential security breaches. But more than that, it allows the business to continue to innovate, avoid unnecessary fines and promotes system uptime which leads to happy customers. The last point is particularly important. We all saw the furor that the recent Facebook downtime caused, where businesses which use social media to connect with consumers were faced with irate customers and a significant financial hit.
However, the struggle for businesses is that you can’t patch what isn’t there. And in the eyes of Microsoft, Windows XP is no longer there. With every additional year after the end of extended support, the likelihood of security issues and incidents increases. Therefore, now is the time to say goodbye to Windows XP and move to a supported operating system. A vulnerable server could expose hundreds or thousands of passwords and be used to access and steal files from mapped drives. Unfortunately, 20 years on and businesses still use Windows XP in great numbers. Until they update, the industry must remember the left behind.
By Jake Moore, a cyber security specialist at ESET, UK.