Does your organization still have a significant number of endpoints still running Windows XP? Don't worry, you're not alone- Forrester's Q3 2013 Hardware Survey shows us that the average organization still has 20% of their employee endpoints running XP. Considering that most organizations spend 18-32 months when migrating to newer versions of Windows, many organizations will likely find themselves scrambling to batten down the hatches before Microsoft's April 8, 2014 end-of-life deadline.
After this date, Microsoft will stop releasing security patches for the 13 year old operating system, a terrifying situation for organizations still relying on XP. What can you do as an organization if you still have a substantial XP presence within your environment? You can:
- Migrate to Windows 7/8 post-haste. Microsoft has come a long way in preventing certain classes of attacks, such as boot kit and root kit attacks. In fact, Microsoft has told us Windows XP is 21 times more likely to get infected with malware than Windows 8.1. To help our clients understand the pros and cons of Windows 8.1 security, I recently published a guide on this very topic.
- Buy some extra time. For those that can afford it, Microsoft will offer "custom support" in the form of XP security patches past the April 8th deadline. I've spoken with a number of organizations who determined it would be cheaper to pay this premium, rather than migrate away from XP. Of course this is just prolonging the inevitable- custom support will not be available forever.
- Isolate tricky XP-dependent applications through virtualization. Applications which must be run on Microsoft XP can be virtualized and hosted internally with all of the traditional safeguards. Also, for those servers running XP that cannot be easily upgraded to Microsoft's Server 2008/2012, Server 2003 can be used in its place as a temporary solution and will likely cause fewer application dependency problems.
- Do nothing. Is your data really that valuable to hackers? HIPPA and PCI regulations only matter if you get caught. Might be time to also think about updating your resume.
After Microsoft puts XP to rest, expect many of the AV vendors to slowly stop putting effort into protecting these systems. Most 3rd party application vendors will likely stop releasing security patches for their software as well, leading to a perfect storm for hackers. Technologies which do not rely on blacklists such as whitelisting, privilege management, and process isolation/sandboxing will continue to offer a level of protection, but as more and more vulnerabilities are left unpatched on the OS, these solutions will not be tenable over the long term.
My question to all of you is this: what are your plans for migrating away from XP? Are you planning on getting rid of all traces of XP before the April deadline- or are you deciding to invest in additional technologies/software/services to weather the storm and buy some time?
Chris Sherman is an Analyst at Forrester Research serving Security & Risk Professionals.