Today, the day Microsoft officially ended security support for Windows XP, it's emerged that April 8 marks merely the end of ‘free' XP security - with many large organisations set to follow the UK Government and pay to protect their XP users until they can migrate.
The Cabinet Office signed a £5.5 million deal with Microsoft late last week for the UK public sector to keep receiving XP security updates for the next 12 months. Similar deals have been struck by the Irish and Dutch governments, and experts predict large enterprises will follow suit.
But such ‘paid-for' security is only available to Microsoft Premier Support contract customers. And enterprises have been warned by the UK Government's own privacy watchdog, the Information Commissioner's Office (ICO), that if get their XP security wrong after April 8 they face fines of up to £500,000 under the Data Protection Act.
Likewise a Microsoft advisory warns enterprise users keeping XP: “Businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements.”
Microsoft ended its 12 years of XP security support this Patch Tuesday, meaning it will no longer provide security updates or technical support for XP. But In a partial concession announced in January, it will still issue updates to its XP anti-malware software through to 14 July 2015. For enterprise customers, this lifeline applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune running on XP.
But the fear factor – some industry watchers predict a flood of ‘saved-up' Zero-day cyber attacks will target exposed XP users after April 8 – may prove a useful earner for Microsoft as more organisations ‘go private' for their XP secureity support.
With research this week from AppSense showing 77 percent of organisations will continue running XP, industry expert Brian Honan of BH Consulting thinks the UK Government has made a positive move that many large enterprises will follow.
He told SCMagazineUK.com: “The big challenge for governments and large enterprises is the whole cost of moving to Windows 8 or 7 – not just the operating system but every application like Office, and for large legacy systems it could be very time-consuming to move. Also the hardware organisations bought maybe 10 years ago may not be capable of running modern operating systems and there is the whole issue of user training as well.
“So the UK government is buying time to make sure the migration is done in a proper way. I see it more as a positive than a negative. You might ask why they haven't done it earlier but I think the money simply hasn't been there. I think you will find many large organisations with large XP footprints may not have had the time or budget yet to move.”
Honan added: “For XP it is end of free support rather than the end of support. XP is an example of where the software has moved on – but just because it is obsolete does not mean it's no longer used.”
Steve Durbin, global vice president of the Information Security Forum (ISF) industry body, agreed paying for extended support “should buy businesses and UK government departments a little more time to ensure they are able to migrate in a planned fashion with a security safety net still in place”.
But he told SCMagazineUK.com: “This cannot continue and Windows XP users must take responsibility for migrating off XP in order to avoid potential attacks, hacks and breaches by cybercriminals who are only too well aware that this presents an opportunity.”
Meanwhile Tim Holman, president of the ISSA-UK security professionals organisation, insists “all is not lost” for users who cannot afford extended security support.
He told SCMagazineUK.com via email: “I doubt many organisations have that kind of money lying around and simply cannot afford the extended support offered by Microsoft. HMG will not be permitted to share their patches with the rest of the UK as per the licensing conditions set down by Microsoft.”
But he said: “All is not lost for organisations that cannot afford extended support - there will be plenty of hardening and configuration recommendations published by the security community, and anti-malware solutions will be able to detect/prevent many future exploits.
“Is there a risk that there's a major vulnerability or ticking security time bomb for those using XP? I think not. It's been around for almost 15 years and has been hammered to death by the research community and hackers, and they're moving on. XP users must, of course, tread carefully and stay up to date with vulnerability research.”
In contrast, EY information security director Mark Brown believes in the ‘doomsday scenario'. He told journalists via email: ““There is inevitably a cost associated with changing from Windows XP, but the cost to business of doing nothing may be even greater and may result in the doomsday of a cyber-fatality with an impacted business unable to recover sufficiently to continue to operate. Hackers will use this as an opportunity to take advantage of those organisations that have not got their house in order.”
The Cabinet Office move has also been criticised by the UK Institution of Engineering and Technology (IET) as “at best a short-term stop gap measure”. IET cyber security lead Hugh Boyes said in a statement: “The Government should set an example by ensuring that PCs using the XP operating system within its IT estate are upgraded or replaced within the 12-month contract.”
Meanwhile, ICO group manager Simon Rice warned organisations in a March 10 blog: “As a responsible data controller it is your organisation's responsibility to make sure you have ‘appropriate technical organisational measures' in place to keep people's details safe... to make sure you don't fall foul of the Data Protection Act and put your organisation in line for a penalty of up to £500,000.”
The ICO says organisations must stay on top of software updates but Rice points out: “In the case of Windows XP and Office 2003, from 8 April there will be no updates to apply. Anyone using these two products must look at migrating to a supported operating system. Failure to do so will leave your organisation's network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented.”
A Microsoft spokesperson told SCMagazineUK.com via email: “Some large customers with complex Windows XP deployments may not have their migrations complete by 8 April. To help those customers, we offer Custom Support for Windows XP as a temporary, last resort to help bridge the gap during a migration process to a modern OS, as the newest technologies provide the optimal chance to be and stay secure.
“We have made an agreement with the Crown Commercial Service to provide eligible UK public sector organisations with the ability to download security updates to Windows XP, Office 2003 and Exchange 2003 for one year until 8 April 2015. Agreements such as these do not remove the need to move off Windows XP as soon as possible.”