We all know that tomorrow is the official end of life for Windows XP, and there are at least fifty other posts you can read on this topic.
I want to:
- Remind you of our social responsibility on this topic,
- Simplify your family CIO/CSO duties (LOL), and
- Sharpen your business game regarding Windows XP's end of life.
As members of the security community, we have a responsibility to leave the Internet better than we found it. Data indicates that XP still powers roughly a third of computers surfing the web (29% per these statistics). This is an opportunity for you to be an ambassador for our community to the public. When you see XP out there, help educate (in the most helpful and positive way possible) the importance of replacing this fragile operating system.
You already know that while vendor support ends, security research never stops. We all preach computer hygiene, how online safety starts with applying patches, using firewalls and antivirus, and deliberate management of usernames and passwords... but rarely do we have the discussion around retired operating systems.
Concerning Friends and Family:
For home users, this is a scary conversation. This means backing up your stuff and upgrading the operating system, which isn't for the faint of heart. Early in my IT adventures, OS installation and upgrades were the biggest messes I made. For many people, this will mean upgrading hardware, or buying an entirely new machine.
I know what you're thinking, "Dude, I do not fix more computers!" and I'm with you. I get it. I feel the same way.
Have you considered moving friends and family to tablets or Chromebooks? For my extended family, the vast majority of computer usage is browsing and email. The last two years as my family's de facto CIO/CSO, I am telling you that there is something to the walled garden strategy as help desk call volume is DOWN! (there is just a lot less to break!)
Purchase price on an OS and any required hardware upgrades will buy one, if not two iOS, Android tablet or Chromebook options.
Obviously, when speaking to the business, the conversation is different.
There are occasional business reasons to keep legacy systems. It is our responsibility to acquaint organizations with the risk associated, and the cost of associated due diligence- as these soft costs pile up over time.
In financial terms, capitalized expenditures have a timeline for depreciation. As investments age, their associated value decreases. The trick is that finance often expects that operational expenditure for supporting them. They know that new operating systems means new software licensing, training for engineering and support staff, as well as a likelihood for costly user interruption!
You will do well in highlighting that there are new costs that come with protecting end of life software. When you can't patch, systems must be hardened. Sensitive systems like ATMs, Point of Sale, and SCADA systems should have been hardened prior to deployment, and will have been well maintained, (this *also* means new licensing costs, training, and possible user interruption.) Windows XP in corporate environments will need the same level of treatment.
Businesses need to understand that XP has had the rug pulled out from underneath it. While they will still be using these unsupported systems, flexibility in usage must be limited. Network access should be limited - zero access out to the Internet, and nearly impossible remote access inbound. System behavior enforcement and monitoring becomes paramount.
My friend Mike has a good comparison, he believes that using unsupported software can be compared to using antiques for routine business use- extreme care must be exercised to keep the asset functional, and minimize the likelihood of injury.
Another analogy is that of driving an older vehicle. At some point you are throwing good money after bad, trying to keep it running. There is a window of time where the car is paid off, it is running well, and your decision to not upgrade is saving you money. For Windows XP, that time has come and gone.
Finally, encourage your business partners to think of criminal hacker types as smart business people (because they are.) Decision makers understand the laws of supply and demand, and the decision to stay on XP means they are generating the market for those exploits. The risk associated with ending support for Windows XP is in no way to be placed on Microsoft.
A call to action:
You have an opportunity to be an ambassador. When you see XP out there, have an adult conversation, educate in terms that others will appreciate. Your actions and words reflect on the entire community.
As the family CIO/CSO - look for the smart investment. There are options that will make your life easier. A small investment is a lot easier to stomach than compromised shopping/banking/credit card credentials (or identity theft.)
As a corporate security partner, speak their language. You know that companies refusing to retire unsupported operating systems are ultimately generating risk- and those moves come at a cost. As companies entrusted with other people's data let's minimize the risk we eventually expose consumers to.