Many government agencies and enterprises are challenged to keep their fleet of computers updated due to costs and complexity. There are security and privacy implications if these computers are running earlier versions of operating systems that are no longer supported by the provider. Futures speaks with regional Computer Emergency Response Teams (CERTs) on why technology refresh is critical and how best to do it to reduce cyber risks.
In the last two months, both Microsoft and Apple have ended support for an earlier version of their operating systems (OS) – Windows XP and Snow Leopard, respectively. Across Asia Pacific, many organizations are left vulnerable to viruses, spyware and other malicious software that can steal or damage their data and disrupt operations.
“You may still be able to run the same applications, access the Internet and perform transactions. However, a malware might be stealing your credit card information and other important data right under your nose,” describes Megat Muazzam Abdul Mutalib, Head of Department, Malaysia Computer Emergency Response Team (MyCERT), CyberSecurity Malaysia, the national cybersecurity specialist agency under the purview of the Ministry of Science, Technology and Innovation Malaysia.
Since previous OS versions become building blocks of newer OS, malicious actors can examine patches for a current OS to uncover weak spots and flaws of earlier OS, a process called ‘reverse discovery’.
“Hackers and developers of malware might reverse engineer Microsoft’s security patches for Windows 7 or Windows 8 to find vulnerabilities that might be shared by Windows XP. They could use it to exploit the OS, thus increasing the security risk associated with XP,” says SC Leung, Senior Consultant, Hong Kong Computer Emergency Response Team Coordination Centre.
The regional CERTs are therefore urging all consumers, businesses and government organizations to migrate their PCs and servers to newer versions of their preferred and supported OS immediately.
For government organizations and enterprises with a huge number of computers running XP, this migration can be a daunting task.
According to Angel Averia, President of the Philippines Computer Emergency Response Team (PhCERT), having a transition management plan is critical to ensure a smooth migration.
“It is common for large enterprises and public sector agencies to have thousands of PCs still on XP. A good transition management plan involves user education before a well-scheduled, phased roll-out,” says Averia.
Since end-user resistance is often one of the key challenges, Averia recommends that organizations should kick off the transition with an awareness-building and training program. “Users have gotten used to Windows XP over time. Before introducing the new OS, make sure that users are trained and equipped to do their job with the new system. This is especially true if organizations are also taking the opportunity to upgrade productivity tools, such as implementing Microsoft Office 365.”
Mutalib of MyCERT echoes Averia’s advice. “Deployment must be in phases. Get a small sample of users to test out the new OS. Check if everything is working and confirm that the required work applications are running well.”
Before deployment, organizations should conduct a comprehensive analysis to avoid any disruption to business. “You should review your operational readiness, make sure that you have all the capabilities to deploy and support the current production environment,” says Mutalib.
“Application readiness is another important area. Review all applications your workforce is using to ensure that they are supported by the new OS. You should also evaluate the impact of a hardware upgrade, Web compatibility, deployment support, impact of data security and manageability of resources,” he continues.
Since migrating a fleet of computers will take time, Leung from Hong Kong Computer Emergency Response Team Coordination Centre suggests taking precautionary measures in the interim. “If a full migration is not possible, organizations should assess the risks and apply mitigation plans. For example, isolate computers with the unsupported OS in a separate network segment, block their access to the Internet, cease the use of old versions of Internet Explorer, limit privileges of user accounts on the system and monitor abnormal activities of these computers.”
Since refreshing IT infrastructure can be costly, Averia of PhCERT believes that it is important to justify the investment to get management’s buy-in.
“Ask yourself these questions: What value does the organization draw from this new investment? Will it result in operational efficiency? Does the new system enable faster or more secure transactions? Does it translate into better service for your customers? Does the security of the system protect your organization’s reputation? If you can justify the investment by creating value and benefiting stakeholders, including investors and shareholders, I think you have a solid business case,” concludes Averia.
Report: Kelly Ng