Is there a place for Windows XP on the corporate network?
Is there a place for Windows XP on the corporate network?
The operating system has been out of support for a full decade. The only notable public patches since then were in 2017 and 2019 for the eternalblue exploit (wannacry) and bluekeep.
Despite this, in 2024 an estimated 0.5% of enterprise systems still run Windows XP. There are many cases where some kind of specialized device that is business-critical run Windows XP because it still functions. Operating systems have a ~10 year lifecycle compared to industrial hardware (think ATMs, freight scales) which often lasts 20 or 30 years.
In some cases the vendor may offer an upgrade path to a supported OS. However, more often the hardware is too old to run anything newer and/or the vendor may not exist any more.
This creates a security mismatch where an unsupported device "needs" to remain in production for some time. Replacement is usually not cost effective if the device still functions. Would you replace a $100,000 functioning industrial microscope just to buy a few more years of OS support? The business will say no in almost all cases which frustrates many a security team.
However, within the security energy framework the business needs and security risk needs can be reconciled.
Inherently vulnerable systems include out-of-support operating systems like Windows XP. Their risk can be mitigated by making them hard to get to. From the influence energy side, the harder it is to reach a particular point, the more influence energy I need to have.
Think about your house. You don't keep valuable on your front porch. Things of value to a would-be theif are kept inside in a secure location. They are only taken out for specific purposes and guarded during these times.
Similarly, vulnerable systems must be protected by increasing the numbers of hops away from general internet access.
A hop defined as "how many computer systems (not network devices) does a packet need to be processed by in order to reach this service?" Internet-facing servers are 0 hops since they directly process packets. A service accessible on a vpn is one hop away. Something on the corporate intranet behind another authentication point is two hops away.
Each hop away from the internet increases the cost to an attacker 10x; put another way, increases the required influence energy by 1.
A hypothetical Windows XP system with all patches applied is Security energy 3 since it would take some effort to compromise. If it is running a critical process, we need to increase the effort to breach it to at least 5 by placing it 2 hops away from the internet. With these compensating controls in place, the XP system can live out its days in peace.
This approach can be broadened for general vulnerability management. Publicly-exposed resources (0 hops) like on-premises hosting or cloud servers should be aggressively scanned and patched -- at least weekly. Things on an internal network (1 hop) should be scanned and patched at least monthly. Things on further internal networks can be managed much less frequently, just make sure to audit the segregation controls on a regular basis.
If you need help figuring out what your exposure to exploits is or don't have a regular vulnerability scanning program set up, reach out today. I have decades of experience managing vulnerabilities for large and small companies and will provide an optimized solution to match your risk level at a cost you can afford.