Does your organization still have a significant number of endpoints still running Windows XP? Don’t worry, you’re not alone: Forrester's Forrsights Hardware Survey, Q3 2013 shows that the average organization still has 20% of their employee endpoints running XP. Considering that most organizations spend 18 to 32 months when migrating to newer versions of Windows, many organizations will likely find themselves scrambling to batten down the hatches before Microsoft’s April 8, 2014 end-of-life deadline.
After this date, Microsoft will stop releasing security patches for the 13-year-old operating system, a terrifying situation for organizations still relying on XP. What can you do as an organization if you still have a substantial XP presence within your environment? You can:
Migrate to Windows 7 or 8 posthaste. Microsoft has come a long way in preventing certain classes of attacks, such as bootkit and rootkit attacks. In fact, Microsoft has told us that Windows XP is 21 times more likely to get infected with malware than Windows 8.1. To help our clients understand the pros and cons of Windows 8.1 security, I recently published a guide on this very topic.
Buy some extra time. For those that can afford it, Microsoft will offer “custom support” in the form of XP security patches past the April 8 deadline. I’ve spoken with a number of organizations that determined that it would be cheaper to pay this premium than to migrate away from XP. Of course, this is just prolonging the inevitable; custom support will not be available forever.
In a recent report titled “Technology Management In The Age Of The Customer,” Forrester defines the Age of the Customer as: "A 20-year business cycle in which the most successful enterprises will reinvent themselves to systematically understand and serve increasingly powerful customers." In this Age of the Customer, empowered consumers using social media can have tremendous influence. Technology gives the lone voice a platform to be heard across the Internet. Technology is the force multiplier for empowered consumers.
Jason Huntley, a UK-based IT consultant, is a perfect example of one of these increasingly powerful customers. He posted a blog titled “LG Smart TVs logging USB filenames and viewing info to LG servers.” In it Jason detailed how his Smart LG TV was spying on him. The TV was not only reporting data about viewing habits, but was also uploading the filenames from the storage devices he attached to the TV. His viewing habits data was collected despite the fact that he had opted out of the “Collection of watching info.” Jason wrote, “This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.” He had a false expectation of privacy. See below:
This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element.
What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present credit card information to the NFC and allow the user to use the card information for payment. This might mean that traditional trusted service managers (companies that are authorized to provision the secure element on the mobile phone, like Gemalto, FirstData, CorTSM, etc.) may face fierce competition from really anyone who wishes to provision cards to the phone. Mobile network operators can now be easily cut from the payment chain, too.
I am about to kick off my next Forrester research on targeted attacks. Here is the short abstract: "The threat landscape has evolved but organizations haven't. Leveraging concepts of Zero Trust, this report will detail strategies for protecting against targeted attacks against your organization. We will focus on the pros and cons of various strategies and provide suggestions for maximizing your investments." If you'd like a preview to the tone of this research please see one of my previous blogs: "Kim Kardashian and APTs."
Vendors: The focus of this research is on overall strategy and NOT on specific vendor capabilities. We look forward to detailed vendor conversations when we do follow on Waves or Market Overviews in the future.
Enterprises: If you would like to provide us feedback on your experience with defending against targeted attacks, we would love to hear from you. If you purchased a magic anti-APT box and it is/isn't living up to your expectations, let us know. We are currently scheduling research interviews. Research interviews are open to more than just Forrester clients. If you aren't a client and would like to participate, we will provide you a complimentary copy of the final research upon completion.