The most widespread and reigning operating system, Window XP that was released on October 25, 2001 and was considered to be the most outstandingly accepted operating system platform among Consumer and Business Markets is now after April 8, 2014 will be defunct. That means , starting from April 9,2014 Microsoft will no longer provide support, market or any updates, hot fixes, any type of support options like Microsoft Security Essentials or online technical content updates. Also, there can be the scenario when great number of apps and devices don’t even work well with Window XP. Now, this will increase the hacking attacks exponentially on machine that are still continued to use Window XP. This looming sunset will have direct impact on enterprise environments, security locks on doors/buildings, automated teller machines, government computing devices, E-Commerce, military computing devices, retail industry with POS and other application running in that environment and other organizations that deals with Credit Cardholder data and those who are obliged to comply with PCI DSS requirements.
For retailers the impact can be higher as PCI Security Standard Council (PCI SSC) does not consider the out-of-date operating system which might cause problem for retailers (using Window XP ) with their banks , despite of whatever payment software’s they use. The overarching issue here is how this change will be affecting to those who most notably updated from 2.0 to 3.0 late last year and are bound to comply with the PCI DSS requirements.
The Payment Card Industry Data Security Standard (PCI DSS), a set of 12 requirements that is administered by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of electronic payment data and sensitive authentication data. Recently, the PCI SSC has upgraded PCI DSS 2.0 to PCI DSS 3.0 which includes many new methodologies. A retailer or any organization who deals with payment cardholder data or involved in processing of card transactions must be fully comply with PCI DSS 12 requirements in order to be free from fines and other noncompliance sanctions. So, according to the indication in PCI DSS requirement 6.2:
“Weather all system components and software are protected from known vulnerabilities by installing applicable, vendor-supplied security patches and weather critical security patches are installed within one month of release?”
Now, as soon as the first XP vulnerability will be discovered an organization will automatically be out of PCI DSS compliance and will put all the customer details on risk and organizations out of the official list of PCI compliant service providers and also list of all vendors who are qualified to support those regulated by PCI DSS.
Another concern is of majority of ATM computers run on the OS machines out of this mass of machines use Window XP which if affected can hinder the daily life of people from any country. According to InfoSecIsland report, another major concern here is for the medical device manufacturing industry as majority of medical devices are running on XP and percentage of them also use XP to provide the link to external databases that contain medical data used by these devices. Since, majority of medical devices are having a long life span between 10-20 years and many of them is now likely to be vulnerable to malware, hacking, software errors, and crashing due to absence of new patches to protect from viruses, spyware and other malware. Thus all these medical devices which are running on Window XP platform will be non-compliant to technical requirements of Health Insurance Portability and Accountability Act (HIPAA) to secure devices with protected health care information. This will also lead to zero day malware attacks and operating system errors. Further terminals using Window XP have to proof confidentiality of patient’s health care information as well as all the audit proof for insuring safety and security of patient’s health care information records. Thus organization that are bound to comply with different regulatory compliance standards like SOX,HIPAA,PCI DSS, NERC, Gramm-Leach-Bliley, etc have to deal with greater challenges in terms of security , cost and corporate brand name.
Even larger organization which have anything to do with POS or Internet of Things (IoT) or credit card data they may have many distributed systems that are not powerful enough to run Window 7 or Window 8 due to incomplete hardware requirements which is required for upgrading Window XP and possibly all legacy applications running on Window XP. There might be other reasons like mission-critical applications not compatible with Window XP, high migration budget, lack of resources for maintaining day-to-day migration operations, application incompatibility etc. that can stop organizations from OS migration l According to the survey conducted by IDC Research and Flexera Software in September 2013, almost 15% of midsize and large enterprises will still have Windows XP running on at least 10% of their PCs after Microsoft’s support ends. And Window XP migration for these enterprises, if done, can likely to take six to twelve months for complete OS migration. Use of third party applications like Oracle, Adobe etc. also encourages the upgrading of Windows XP.
Taking Next Steps: Compensating Controls
Firstly, if an organization is unsure whether they have Window XP in their environment then this can be found by using Microsoft’s Windows 7 Upgrade Advisor. Windows Upgrade Assistant can also be used for checking if the systems meet all the Windows 7 or Windows 8 requirements. Also, list of mission-critical programs that have trouble running on Windows 7 or Windows 8 can be checked. Organizations continue using Windows XP after April 8 must monitor and internally mitigate security threats and risks specific to XP or larger businesses can collaborate with Microsoft or a licensed sourcing provider for working on security services in order to manage new or existing vulnerabilities and complying with the PCI DSS requirements and standards for particular applications running on XP. This might help companies to avail lower regulatory liabilities if any breaches in payment card data occur despite on complying with the PCI DSS standard requirements.
Under strict circumstances where applications don’t require internet access or access to other systems outside the network can be isolated from the network that will only allow applications to be accessible from the systems within the isolated network. Apart from negative security software’s like anti-virus (AV) software and host-based intrusion prevention system (HIPS) organization can also rely on the positive security software like Bit9 that won’t allow applications run that are not trusted. This can harden all out-of-date systems, such as XP, so that anything that is suspicious and unknown will be blacklisted, preventing zero-day exploits and targeted attacks.
According to Organizations such as the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST), and the SANS Top 20 positive proactive security models are a best practice for closing the threat window to protect POS systems, servers, endpoints ,lowering the cost of compliance and help in staying compliant with XP.
Retailers willing to migrate to PA-DSS validated applications must check the PCI SSC’s list of PA-DSS validated application under the “Tested Operating Systems” which shows applications running on Window XP and have alternate validated versions available. Before adopting any type of compensating controls retailers must work with their Qualified Security Assessor (QSA) and their acquirer. But regardless of all validation of PA-DSS’s applications, using out-dated OS platform will not make retailers fully compliant to PCI DSS requirements.
Now the bottom line is, organizations, individuals and businesses must upgrade their XP systems to full fledge OS in order to protect their data, customers’ information, business brand and income. Although there are multiple options and resources that can help fend off the coming attacks, but it’s time to act now. All critical XP systems and complicated applications and programs those are difficult to upgrade must adopt compensating controls like positive security solutions and regular audits to comply with the regulatory compliance standards and also for providing full fledge confidentiality of their sensitive data’s and audit reports.
References:
Source:
PCI DSS Version 3.0 (PDF)
Will the Demise of XP Shut Down Your Businessor Heart
Wikipedia :
http://en.wikipedia.org/wiki/Windows_XP
Times of India
BBC
http://www.bbc.com/news/technology-26884167
Akansha Pandey
MSCLIS IIIT Allahabad