The financial sector also faces challenges from the end of Windows XP. Ninety-five percent of the world’s ATMs were running on XP by the time the end-of-life rolled around in April, according to NCR, the globe’s largest supplier of ATMs. But experts point out that the electronic teller machines are much more hardened against attacks than the average machine. “ATMs are supposed to be running on a segregated encrypted network. So because of that, there will be limits in terms of what types of attacks can occur on ATMs,” says Sakore. “ATMs [aren’t] wide open to attack. There are strict rules in terms of how ATMs connect over what type of network…There are protections that are in place.”
Wisniewski explains that the threat profile of ATM machines is different from that of a laptop computer, for example, and that they aren’t on any type of public-facing Internet connection. So, vulnerabilities come from internal threats or ATM card skimming, rather than from hacking in through an insecure operating system. Overall, he says the risk of continuing to run XP may outweigh the cost of replacing or upgrading machines. “Bank of America, which has tens of thousands of ATMs, may say, ‘You know what, we’re willing to take the risk of something bad happening because the cost of replacing 30,000 ATMs is going to cost us tens of millions of dollars. So we’ll take our chances for a little while,’” he says.
Business migration. If an organization still hasn’t migrated from XP to a newer operating system, like Windows 7 or Windows 8, there are steps they can take to ensure their networks are safeguarded against attacks.
“First, they have to do a risk assessment where they identify all the systems in their organization which are running XP,” notes Sakore. He adds that businesses should identify which types of data those XP systems can access, prioritizing which machines to protect first based on which ones access sensitive information. If there are machines still running XP, Wisniewski says to take images of them. That way, “if something does happen to it, they can very easily restore it back to the condition it was in before it was compromised,” he notes.
Finally, Wisniewski says removing the machines still running XP from any Web connection will ensure protection. “The best thing to do is simply take them off the Internet. If you can’t upgrade them easily, or it’s going to be an enormous amount of cost or labor to react to this deadline, then one plan is isolate them, don’t let people use them to surf the Internet.” He says that maintaining standard security software, like firewalls and antivirus protections, is still important even if you’ve removed the machines’ Web connections.
Sakore points out that employees who use a virtual private network (VPN) to connect to the corporate network pose a serious risk. “If you have home users and they’re not upgrading their desktops and they’re using VPN to log into the corporate network, then you have some systems there that could be open to attack,” he says. “So it’s important to create some kind of policy around Windows XP from a corporate standpoint.”