Microsoft Extends Windows® XP Malware Support - Compliance Issues Remain

Lenovo recommends Windows 8.

© 2014 LENOVO. ALL RIGHTS RESERVED.

2


April 8, 2014, was a Critical Date


http://www.pcicomplianceguide.org/windows-xp-end-of-life-why-small-merchants-must-act-now/

3


What does Microsoft’s recent announcement of malware signature support through July 2015 mean?

Adding to Windows XP security yourself is not a winning strategy for compliance.

Consider the reality of what Windows XP End of Support (EOS) means for legal and compliance directives.

Windows XP End of Support – Getting to the Truth


4


Virus signatures alone don’t solve all of the technical security problems that exist now that April 8, 2014 has passed.

Vulnerabilities found in the operating system will not be protected.

– New vulnerabilities won’t be “zero day” threats, but constant threats without patches being available.

Don’t forget security issues for older versions of Internet Explorer that run on Windows XP.

Extended Delivery of Virus Signatures Isn’t Protection


http://lastunturnedstone.blogspot.com/2013/03/google-redirect-virus-may-not-be-your.html

5


Exploits have been waiting for EOS and will be released!

Windows XP Will Present a Major Vulnerability


http://indonetworksecurity.com/wallpaper/screenshot-metasploit.htm

6


There are numerous press reports about things that can be done to make Windows XP “more secure” now that EOS has occurred – these are analogous to locking your front door but leaving the back door wide open.

The cost of trying to change many aspects of a current Windows XP system will have substantial expense and is nearly always a poor investment for the organization as the problem will still exist after the “fix.”

Technical updates to Windows XP systems will not make it “current” from a compliance or statutory perspective.

“Fixing” Windows XP for Compliance is Not an Option


7


The patches for Windows 7 and Windows 8 that are still being delivered may point out vulnerabilities in Windows XP where there is shared or similar code/libraries – hackers are waiting for this.

There is “chatter” on hacker sites that known exploits for Windows XP have been held back until after EOS so that they can now be used to better effect.

Device drivers and other system software elements may also be vulnerable, and more attention is being focused on finding exploits in them.

More Threats to Windows XP Are Lurking


8


Security, compliance, and legal issues aren’t solely focused on security technology, but are just as focused on the issue of Windows XP no longer being “current” or “supported.”

Many compliance directives are focused on the quality of the software, not the security programs in place.

Organizations will find themselves falling under a number of different compliance and legal directives, raising the bar higher.

Attention to privacy and data theft by government entities is only increasing, and with the recent intrusion at Target stores, more legislation and compliance demands are coming soon.

Security & Compliance Issues – More than Technology




10


There are potentially a large number of compliance directives and statutes that EOS will contravene.

Key examples of these follow.

Compliance & Legal Directives Impacting EOS


http://blog.icorps.com/bid/131408/How-to-Derive-Benefits-From-IT-Compliance

11


Impacts any business that must be PCI compliant.

Out-Law.com reports that any organization with Windows XP, including POS equipment, should be especially concerned.

Enforcement goes beyond U.S. borders, to many other countries.

Costs of breaches are substantial.

– VISA has high penalties:

–Level 1 noncompliance is $25,000 per month for months 1-3, $50,000 per month for months 4-6.

–$50-$90 per compromised record.

– Other banks and cardholders have similar penalties.

Payment Card Industry Data Security Standard PCI DSS


12


Requires protection of systems and information with “patches and updates” – Windows XP will not have these.

Prohibits the use of unpatched or unsupported operating systems.

The “Security Process Management Standard” section of HIPAA dictates that covered entities must implement appropriate security measures to reduce those risks and vulnerabilities to a reasonable and appropriate level. Leaving Windows XP in place may be considered an unreasonable action.

In cases where there is willful neglect, penalties start at $50,000.

HIPAA – Large Hospitals/Healthcare Institutions


13


“IT auditors must identify the related technology components and general controls that provide assurance of processing and data integrity for the key applications.” Can Windows XP after EOS meet that standard?

“Integrity is defined as the insurance that information can only be accessed by those authorized to do so.” Windows XP after EOS will be hard to defend based on this standard.

The consequences of noncompliance can be very large fines.

Sarbanes-Oxley


14


This law focuses on the protection of personal and private information held by financial institutions.

Has a very broad impact on IT operations.

Requires an annual notice of the practices in place to protect private information.

Running a vulnerable operating system, such as Windows XP, organizations face the possibility of putting private information at risk. If a breach can be traced to Windows XP, there are substantial penalties.

Gramm-Leach-Bliley Act


15


This rule was created by the FTC to help prevent identity theft.

Requires financial institutions to:

– Implement a written prevention program designed to detect the red flags of identity theft in their day-to-day operations.

– Take steps to prevent the crime.

– Mitigate its damage.

After EOS, it is likely that Windows XP will become a “red flag.”

The Red Flags Rule


16


This is an excellent example of a state law that is designed to protect personal information.

Numerous states have similar laws and many are designing legislation at this time.

Under Massachusetts law, section 6, “personal identifiable information (PII) on a workstation connected to the internet must be reasonably up-to-date… [with] operating system patches.”

This may be the most clear statute regarding Windows XP.

Massachusetts General Law 201 CMR 17.00


17


The recent announcement of continued provision of malware signatures does not constitute a re-assessment of Windows XP EOS.

It is expected that there will be very real threats to Windows XP now that EOS has occurred.

Compliance and statutory issues for Windows XP are not just about technical security issues, but are driven by Windows XP’s status as “no longer supported.”

– Many compliance and statutory demands are to keep software “current.”

– Some statutes, such as Mass. 201, demand that any operating system used have current and recent patches.

Summary
