Current Filter: Network>>>>>Feature>

   

Windows XP machines, one would hope, are not on the frontline but rather behind firewalls and routers. Remember that Windows XP is an operating system with some miles on the clock and the core services have been running for 13 years. It has certainly seen more than its fair share of exploit attempts against these core services during that time, not to mention hundreds of patches and improvements as well. Most of the risk is related to the software that is run and the operations that organisations perform using Windows XP.

There are three main attack vectors that need to be protected: Network Exploits, Browser-based attacks and Malicious Email attachments. When these attack vectors are fully considered it's possible to quickly identify the specific steps that need to be dealt with and planned for so as to mitigate the risk, and this can apply even after security updates cease.

Limit Inbound Network Access and Mitigate Network Exploits: place the Windows XP machines on a dedicated network segment and limit access by other machines in the organisation's environment. Keeping these machines segmented will minimise the chances for them to be targeted and exploited. Limiting network access substantially reduces the chance of being targeted and compromised by network exploits.

The assets that companies need to be most concerned with are the ones that run their business systems. For instance, the point of sale terminals at Target were running Windows XP embedded: cutting them off from the rest of the network would have gone a long way to minimising the impact these exploits ultimately had on its business.

Use non-administrative accounts to mitigate browser based attacks and malicious email attachments: the majority of exploits targeting desktop software (web-browsers, java, adobe flash, adobe reader) are mitigated when the user account is a limited user. It is a disruptive task to migrate existing users to a non-administrative account. Instead, try reducing the privileges of existing user accounts and create an alternative, easy to manage administrative account.

Use a browser with a long-term support plan to help mitigate browser based attacks: if it's not possible to stop employees from browsing the web using Windows XP machines, at least get them to use an up-to-date browser. Google Chrome is extending their support until April 2015. Importantly, if they make the choice to browse, please make sure that plugins are turned off.

Read email in the web browser to mitigate malicious email attachments: using an up-to-date browser, (you are following my recommendations, right?) leverage the email server's web front-end to preview attachments and be particularly conservative about the attachments that are downloaded and opened.

Monitor your systems and always check your work! The most important thing is to catch an incident before it turns into a problem. Look out for command and control traffic, internal probing, increased network activity and other signs of an infection. Of course, network visibility platforms are excellent tools to help with this strategy.

Just because we have stopped receiving patches, it doesn't mean the critical systems in the dark corners of the internet (ICS / SCADA control systems) and the machines that are in use every day (such as ATMs) will suddenly break down. Those systems are on restricted networks (well mostly) and unlike humans, the machines don't check their email nor do they browse the internet. While organisations can't just stop their daily tasks, they will need to be practical about their exposure, understand the risks and take the necessary steps, which will do a lot to minimise the security risk until it is possible to upgrade all XP endpoint on the network.