To offer a commercial service and fail to invest in current vendor support so that you can ensure the timely security patching of software is one of the greatest cardinal sins in modern business. This is followed closely by those organisations that do maintain current vendor supported software but fail to apply security patches. The former scenario is like skydiving without a parachute, the latter you have a parachute but elect not to pull the rip court. It’s not the fall that kills you it’s the inevitability guaranteed by gravity, the impact that kills. The reality is that even with a parachute there is still a risk of severe injury or even failure and death. As with the public network attached nature of just about all computing systems, in one form or another, it is inevitable that unpatched software will be compromised at some point, after all even patched software is not 100% infallible. Thinking you will not get compromised is crass ignorance, we live in a digital age of advanced persistent threats where all public facing networks are regularly scanned and probed for weaknesses many times an hour. In fact the reality is for most organisations they will have been compromised, they simply don’t know it yet or have been lucky enough to hide the fact.
IF an organisation is running ANY software that is out of vendor support for storing or processing customer data, or any Personal Identifiable Information (PII), then they commit one of the greatest cardinal sins in this fledgling digital age and should lose all respectability as a custodian of customer data. Why? The most basic level of courtesy and professionalism is to demonstrate you respect data entrusted to you. The lesson starts with the business, if a business cannot make that commitment then they set the worst kind of example, how can they then blame users for adopting the same happy go lucky attitude to data security.
Sadly there are many organisations who fly by the seat of their pants sweating software asset beyond its sell by date. The frightening thing is these are some of the largest and best known brands and disciplines who should know better. It fascinates me that organisations that invest so much in establishing a trusted brand will skimp or cut corners, where risk is crystal clear, and expose themselves to the ignominy of compromising customer confidential information. The brand damage is limitless and professional credibility will struggle to survive.
As software reaches its end of vendor support lifecycle it invariably does not happen suddenly. Vendors tend to taper off support, extending the patch release cycle intervals and reducing patch response to only critical vulnerabilities. It is the nature of commercial software. There reaches a point where software has to be deprecated because technology has moved on and functionality demands evolve. In the Open Source world there is always the potential of taking on the maintenance and support of one’s own software but that is the equivalent of servicing your own car, and whilst a practical measure in the past, in the age of electronic engine management and diagnostic systems it is beyond the budget of all but the affluent to do this credibly. So it is with software.
The reason for writing in such terms is due to a frustration with some classes of users, most notably the public sector, banking and other global institutions that persist in pushing their luck and DO know better. I am speaking to just one use audience, those still using Microsoft Windows XP which goes out of support finally on April 8th 2014. Windows XP is not alone, there are many other less well known software brands out there, but this will help put the point across in a more familiar guise so you will get the point and I hope as a customer or employee start to ‘politely’ raise this profile and if not encourage, shame them into action.
Windows XP received well beyond the minimum of 10 years of support Microsoft commits to its products. This minimum 10 year support is made up of 5 years Mainstream Support and 5 years Extended Support. For full details go to the Microsoft Support Lifecycle Policy FAQ . So as you can see the end of life for software or even the reduced support level event horizon is well publicised and something that should easily be built into organisations budgets and refresh cycles. So why isn’t it?
So why should you care, simple, in little over 6 month’s which is not a very long time when it comes to IT refresh cycles, your data, or embedded systems you rely on for information will be in a high risk category for compromise.
Microsoft is not sitting silently on this either. They are vociferous in their warnings raising the spectre of a zero-day onslaught on Windows XP. The term Zero-day relates to an attack or threat that exploits a previously unknown vulnerability in a computing system, used particularly in relation to software.. The size of this was qualified in research done by NetMarketShare that reported Windows XP is still installed on 37.19% of the worldwide desktop OS market as of July 2013. If the research firm Forrester calculation of the total number of desktops in the world is correct at slightly over 1 Billion then you can see the magnitude of this problem.
Hackers are teeing themselves up for a veritable feast as they get their malware sighted on over 370million desktops to harvest for their malicious intent. For now they are building up an arsenal of Zero-day exploits ready for April 2014 which risks putting the 2000 millennium bug saga into the shade, whilst it is likely to mean a huge growth in compromised PC’s the ramifications will go far beyond just those individual systems.
So be a good citizen, if you find yourself having to use XP workstations for example, or any other out of date software that may be accessible by the Internet, and question the sanity of this. Some organisations simply will not jump into action unless they are shamed to do so, better that shaming coming from a conscientious user than an expose from publicly compromised data.