Tuesday, March 18, 2014

XP End of an Era or... Deja Vu All Over Again!

   Unless you just came back from time traveling, you know that Microsoft is ending support for the XP
operating system on April 8.  To be clear... April 8 is Patch Tuesday, so that will be the last set of updates for XP.  Sort of.

   XP has been one of Microsoft's most popular desktop operating systems and many organizations are dependent upon it.  Many organizations have not yet updated to Windows 7 or 8 and the clock is ticking.  I'd like to look at what that means and share a few ideas of what we can do to protect ourselves and our organizations.

   Microsoft will be stopping all patches, hotfixes and enhancements to XP after April 8.  Anti-virus signatures will continue to be made available.  This means that any vulnerabilities that are discovered or disclosed might not be fixed.  Organizations will need to figure out if they are vulnerable to any new threats and then weigh the risks associated with their options.

   There has been some speculation that online criminal organizations may be stocking up on new vulnerabilities so these can be released after the last patch date.  We can't know if this is true, but it is possible.

   So... if you are still running XP, and need to continue to run XP, what can you do?  Let's do a high-level threat analysis:

  1. What is the Threat?  That a new or unpatched vulnerability on an XP system will be exploited.  If we have mechanisms in place so that we are not vulnerable to the exploit then the risk is low.
  2. From where does the exploit come?  Most likely, the Internet.  So if the system does not need to be connected to the Internet, or does not have a trust relationship with systems connected to the Internet, the risk may be low.
  3. What is the attack vector?  Most often, email attachments or malicious web links.  So, if the XP machine is not used for email or web surfing we can potentially minimize the risks.
  4. How does the attack take hold?  Most exploit code has to install something or modify key files.  This typically requires local admin.  I wrote about a recent study that looked at 2013 malware and discovered that 92% of attacks would not have worked if the target was not running as a local admin.  So curtailing the use of local admin will greatly reduce risk.
  5. How does the attack execute?  Something has to run on the machine.  So if we can either prevent bad code from running (blacklisting), or only allow safe/vetted code to run (whitelisting) we can reduce risk.  So we can further reduce risk through blacklisting and whitelisting.
   I'm particularly interested in the last two methods.  I already covered the local admin issue previously so won't rehash that here.  But, bottom line, only people whose job it is to administrate workstations should run as local admin.  And only when they are doing that admin work, like installing approved software.  Server and network admins do not need local workstation admin! (sorry... you don't)

   Let's talk more about blacklisting and whitelisting.  Blacklisting is the practice of listing things that aren't allowed, then comparing code, executables, files, etc. against that list.  The problem is... you can't enumerate badness.  What I mean is that you can never list all the things you don't want on your machine, or all the sites you shouldn't visit, because the list changes constantly and is too long.  Most anti-malware, intrusion detection and web filtering products use a blacklisting methodology.  I'm not saying you shouldn't use these.  In fact, you most certainly should use these products as part of your defense-in-depth strategy... just don't depend only on these tools.

   Conversely, whitelisting is the practice of listing what is allowed to run.  This is conceptually easier because you can examine a machine and see what's running.  Only code on your list is allowed to run.  Another advantage is that lookups/comparisons are faster because the comparison list is shorter.  There are a whole bunch of products in this space.  They need time to "discover" what should be running and all have administrative work to implement and maintain the product.

   Then there is the "penalty tax" aka XP Custom Support.  Microsoft is offering a very expensive program for enterprises.  The cost is approx. $200 per seat per year, payable quarterly, and doubling each year.  The plan offers only critical security patches and Microsoft makes no guarantees.  Effectively, they want you off XP but are willing to allow you to pay dearly for your delay.

   Furthermore, Microsoft has recommended that you not allow remote access via IPSEC VPN from XP machines.

   So... what do I recommend???

   First, if you are a home user... then update your software to a more modern operating system of your choice.

   For enterprises, I like the combination of application whitelisting plus endpoint defense (including anti-malware, IDS and personal firewall).  For administrative controls I support eliminating or greatly curtailing the use of local admin.  Minimizing the threat posed by email attachments and malicious links is always a good thing.  (Of course, you should also have a full suite of network and perimeter controls as well as an appropriate security architecture and governance!)

   There's one more avenue to explore... and it's not for everyone.  That is VDI or Virtual Desktop Infrastructure.  By running your desktop environment in a VM (Virtual Machine) you can eliminate some of the problems associated with physical machines.  Note that all software won't necessarily run in that environment so your mileage may vary.

   There is no silver bullet and one size definitely does not fit all.  There are no absolutes in information security.  Know your environment and pick administrative and technical controls and tools that fit your environment and provide a layered set of defenses.

   Oh... and Vista support ends in 2017 and Win7 ends in 2020!

   What are your thoughts?  Is your organization on XP or a different operating system?  If you're on XP, what are you doing about it?

No comments:

Post a Comment