Microsoft formally announced the EOL of XP as of April 8, 2014.  This fact made a splash in the IT/InfoSec community but was quickly buried by the onslaught of Heartbleed traffic that same week.  Now that some of the Heartbleed buzz has slowed, I'd like to highlight a piece of research penned by Visa, a company that has a significant stake in protecting financial assets. Their take is that XP is still deployed on many machines, including two high profile targets for attackers with financial gain on their mind.  The recently released Verizon Data Breach Incident Report showed that while espionage (?!) has gained ground in terms of attacker motive, financial gain is still the motive in nearly 66% of all attacks they researched.  "Follow the money" still rings true.

From the Visa article a few items worth noting:

"According to NCR, the largest ATM supplier in the U.S., over 95 percent of the world's ATMs are running on XP. Migration or upgrading to newer operating systems and hardware has been slow in the ATM industry, leaving thousands of machines to run on the outdated software."

"As of February 2014, Windows XP still resides on roughly 30% of personal computers worldwide."

"Today, many Point-of-Sale (POS) payment applications were programmed to reside on personal computers running XP."

While the number of devices running outdated operating systems is an interesting data point, when you layer on top of that the malware infection rate below from a time when XP was still supported the ATMs and POS terminals are a lucrative, and potentially easy target for attackers.

 

So, what does this all mean?  Understanding what operating systems are on your network is of critical importance to secure your assets and help prevent a breach, and the resulting impact to your organization.  Rapid7 offers ControlsInsight as a way to easily analyze your desktops and quantify the XP desktops out there that may be putting your organization at a higher risk for attack.

 

How are you managing the legacy XP machines on your network?