/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsINDIA: One big offshoot of XP support reaching its end is the security question. Some industry watchers have kept it on the top most tier of worries for Windows users. There are others who prefer to not to be overwhelmed by the panic noise doing the rounds.
Is security really an alarm hyped beyond its worth?
Michael Silver, vice president and analyst at Gartner, agrees to the level of new risk as the number and severity of security exploits grow. The risk of security breaches on systems running Windows XP beyond April 2014 is high and he advises that enterprises should have a plan to get rid of it ASAP.
"Even in organizations without Windows XP, a user that puts an unpatched Windows XP machine on the network can introduce problems."
Ajay Dubey, Manager, South India, Websense doesn't see much reason to be perturbed. It is a cyclical OS thing, this end-of-life scenario. It translates into a no-patch or upgrade/fix-from Microsoft from now on, he explains. "All this actually boils down to one thing in security sense, and that is that the OS would now have zero-day vulnerability. It effectively means that any new threat won't be vaccinated against readily like it used to happen when Microsoft was supporting it. So customers would have to update their gateways and would need a stronger real-time protection solution like the one we offer with advanced persistent threat level answers. What we bring in is exactly a fit for a situation like XP today."
While it is difficult to pin down the real impact at this point-in-time as we just crossed the 8th April mark, but it is important to understand that the threat itself is real as the weaknesses now discovered in Windows XP will go unpatched, leaving users/devices vulnerable to security risks. Tarun Kaura, Director, Technology Sales, India, Symantec dissects the hype around security from his lens as he adds.
"Microsoft will not be issuing any further patches post 8th of April and thus there might emerge a lot of unknown areas/aspects on the OS that we might not know, on real time basis. So if there is a vulnerability that has not been documented and if some hacker exploits the same, then identifying it & protecting it becomes questionable. Even the most current and comprehensive security products, as well as Microsoft's own Malicious Software Removal tool, cannot fully protect an OS that does not receive vulnerability updates, which increases risk for the user."
Krishnan Kutty, DGM IT, Gammon India on the other hand maintains that though there would be no support for XP, antivirus solution providers will certainly not sit idle.
Also, he notes that since the proliferation of XP is quite large, all other add-on software providers also would have made a roadmap that would not inconvenience their clients. "So a micro plan with a comfortable window for the organization may be developed for a smooth transition."
He is not wrong. For instance, Anti-Virus 2013 and Kaspersky Internet Security 2013 evinced its stance to continue to support the Microsoft Windows XP operating system in accordance with Kaspersky Lab product lifecycles.
Although the Windows XP operating system was released more than 10 years ago and three newer operating systems have subsequently been released, Kaspersky Lab realizes that many PC users still prefer this system. This is why Kaspersky Lab has no plans to end support of Windows XP in the near future, it recently stressed in a press note.
Kaspersky Lab also showed plans to maintain support for the operating system in at least two future generations of Kaspersky Anti-Virus and Kaspersky Internet Security products.
Neil MacDonald, vice president and Gartner fellow, highlighted in his post that the issue is not whether the continued use of XP entails risk. It does. The issue is whether the continued use of XP represents manageable and tolerable risk to the enterprise. He reckons the risk to be at a tolerable level for the majority of use cases, without requiring the enterprise to pay Microsoft for expensive custom support while migrations are completed.
Yet he points out that doing nothing is an option.
There is a lot that organizations can gear up right away for like restricting network connectivity, using Application Control Solution and Memory Protection, managing administrative rights, and keeping the rest of the software stack updated as well use of a network or host-based IPS to protect their existing XP Systems from attack.
Going by what MacDonald prescribes, it won't harm to have a predefined process ready in case of an XP breach.
Dipankar Sengupta, Senior Technical Director, National Informatics Centre, Accounts Informatics Division, Govt of India, feels that issues relating to security impact could be contained as we operate our systems within an MPLS VPN.
However, support related to drivers and patches and updates would no longer be available.
Sanjay Katkar CTO, Quick Heal Technologies filters the picture to shape up next anticipating several businesses around the world and in India to continue to operate their legacy machines on Windows XP (for reasons as simple as cost, compatibility, and convenience to as weird as simply negligence).
In such scenarios, he feels it is better to run the XP machine(s) in a virtualized network as application virtualization or session virtualization can help run XP machines in an isolated environment.
"This will allow XP running machines to be used for whatever task they have been used so far without affecting other machines and devices in the network. Moreover, a virtual environment will lock down the machine and any threats that may or may not arise via the OS. This is especially relevant for enterprises that use custom apps which cannot be upgraded anymore on XP machines." He argues.
Other recommendations from his team include keeping a backup of all data on the XP machine(s); ensuring that XP is updated to the latest patch; using a web browser other than Internet Explorer given the expectation of no more updates for IE; updating MS Office to its latest version; getting rid of unwanted third party software and acquiring an effective and updated enterprise security solution.
Katkar reminds that XP going out of support does not mean that the OS will stop functioning on your computer. It means that a computer will no longer receive any security patches. "In other words, if there occurs any security vulnerability that can affect XP, Microsoft won't be doing anything to fix the problem. To break it down further, your computer will make it to the hit list of hackers. Newer versions of application software, games, etc., will face compatibility issues on XP machines or will not run altogether."
The consumer-side of the threat is an equally notable one; BYOD ripples to enterprises, notwithstanding. Here's where Katkar cautions users to be ready by having a Multilayered Security Software, turning machine firewalls, getting the latest patches. updating every software and application, equipping machine with browser sandbox, and stopping use of Microsoft Default Applications or vulnerable browser plugins.
Delving into the consumer segment side for the BYOD angle, Dubey opines that users would be better off if they upgrade to Windows 7 or 8 because they do not sit behind a data centre or strong gateway perimeter the way enterprises do. As to whether anti-virus solutions help here or not, Dubey questions that they usually work on the radar of known viruses and for something like a zero-day threat, those solutions may not be able to handle the new set of needs. However CIOs still need not worry themselves much here on what employees carry in the company, as most devices are two-year old and have a rare probability of being on XP version.
For CIOs who chose to stay with XP, Dubey recommends investing in a strong gateway for real-time situations. "They do have some time to move away from XP. Those already on the migration path can also benefit from a gateway solution since the transition can bring some level of heterogeneity and vulnerability of even one machine can be enough of a concern.".
"At Symantec, we firmly believe that running up-to-date security products is a critical step in protecting your information, systems and devices. And Symantec's security solutions will continue to support Windows XP systems for the foreseeable future, but we strongly recommend users and enterprises still using Windows XP to upgrade to a more current operating system as soon as possible and protect it with a robust security solution." Kaura points out.
So, it appears that both vendor and user landscape are already brimming with alternative, complementary and anti-incumbent courses. This is a good sign in ensuring that whether it is ‘exist' or ‘exit', the decision on XP means least impact on security frontiers.
One Window closed, making other doors re-open - as always.