Threat of the Week: Orphaning XP
You may already have your calendar marked: April 8, 2014. That is when Microsoft pulls the plug on support for its venerable XP operating system and that means no more security updates for the more than 100 million PCs estimated to be running XP.
The bad news: this will trigger an avalanche of finely honed attacks on legacy XP machines, predicted Justin Strong, an XP expert with Novell. He predicted that, right now, cyber-criminal organizations are tearing down XP, hunting for vulnerabilities and that soon after the April 8 cutoff, they will unleash robots to probe targeted sites – including financial services companies.
FFIEC, meantime, issued guidance that carefully avoided demanding that credit unions exit XP by April 8th. What FFIEC requires is this: “The FFIEC agencies expect financial institutions and their technology service providers to identify, assess and manage the potential operational risks associated with the discontinuation of XP support to ensure that safety and soundness and the ability to deliver products and services are not compromised.”
As for what that means, Bob Roth, managing director of Cornerstone Advisors, a fintech consulting firm in Scottsdale, Ariz., said, “That is regulatory speak for you got to get off XP because the next time we come around we will write you up. It supposedly says they can implement controls, but there is no such thing.”
Most credit unions are in no position to concoct their own security patches for XP so, realistically, the only option is to beat a retreat from the aged operating system. But that is easier said than done, for multiple reasons.
How many credit unions might be impacted? Roth said that precise numbers are unknown but his guess is that 40% to 60% of credit union back-office PCs are running on XP.
What are the hurdles to making a swift exit?
There frankly is not enough talent to help that large a pool successfully and speedily convert to supported Windows operating systems – most FIs will choose Windows 7, although bold ones will plunge into the newer Win 8, predicted experts. And this will put many credit unions in the regulators’ crosshairs.
Another obstacle: many credit unions are running custom applications on XP where there is no obvious route to port them over to Win 7, said Strong. “There are a lot of mission-critical apps that just won’t run on Win 7.”
These specialty apps, said Strong, are proving to be the real stumbling block in migration at many credit unions and there appears to be no quick fix in most cases.
Said Roth: “I will guess that 20% won’t get their conversion done by the end of April. That 20% won’t be very loved by the regulators.”
Some will say they are “assessing the risks,” but, said Roth, “The regulators will say, what are you doing?”
He insisted: staying on XP just is not an option and credit unions need to craft fast-track ways to move to Win 7.
And then it gets a lot worse. Cornerstone Advisors is telling its clients that back-office PCs are just part of the problem. In an email, Cornerstone executive Sam Kilmer wrote: “A significant percentage of the ATMs in the financial sector (> 90% of the non-major/national banks) are using operating software utilizing XP as the core software - and that will require upgrades to new operating software.
· “This software upgrade will also mean that many ATMs will require hardware upgrades (primarily processors needed to run the new software) – or (in the case of older models) replacement of the ATM all together. This work will certainly not get done by the April deadline.
· “While ATMs can be segmented from the rest of the network and a financial institution may be inclined to take the risk, it will not be politically correct to allow cash dispensing machines to be in your institution with known security vulnerabilities for long.
· “The impact is huge (really huge) and will likely impact many credit unions as much as the desktop issue.”
The bottom line of that Cornerstone warning: Credit unions need to find XP wherever it lives in the institution and expect it will turn up in unexpected places.
The double bind is that even for credit unions that decide today to migrate to Win 7, from every XP device of any kind, many won’t meet the deadline. Dell Software has said, for example, that an enterprise wide migration will typically take 12 to 24 months.
Employ sophisticated automation and, maybe, a credit union could cut that timeline down to six months, said Ann Maya at Dell Software. She also said credit unions could shrink the timeline by “rationalizing” – meaning reducing – the number of apps that need to be migrated.
She stressed that there is a payoff for the migration: “Security in Windows 7 is greatly improved over XP, as is performance. There’s better user experience. I have never heard anyone who wanted to go back to XP.”
That’s the light at tunnel’s end but getting there will – obviously – be both painful and expensive and apparently there are no reliable shortcuts for the many institutions that have waited until this bitter end.