Businesses have been getting warnings for months about the end of support date for Windows XP. On April 8, Microsoft Corp. will stop releasing patches for XP, and by now, many businesses will have migrated their workplace computers to another operating system (OS) as needed.
But what about the point-of-sales (POS) systems in restaurants and stores? For Christopher Pogue, director of SpiderLabs at Trustwave Holdings Inc., this is a real problem – businesses may be running Windows XP on their payment terminals and may not even realize it, he says.
“POS applications run on top of the operating system … so it may not be on their radar, and they’ve potentially never even looked at it,” he says. “Most people don’t care which OS they’re running – they just want it to work. They’re not intentionally being irresponsible.”
However, the problem there is that hackers may be waiting for the sunset date of April 8, having prepared exploits and vulnerabilities to launch 0-day attacks. As Microsoft won’t be patching these anymore, this could be dangerous for businesses, large and small, that are still using XP at their cash registers.
The best thing to do is to update to another OS – but that may be too expensive and time-consuming for many small businesses. On one hand, having an unpatched OS is just giving hackers yet another way to attack and steal data.
But on the other hand, even with a properly updated, patched, and supported OS, it’s still possible to suffer a data breach, Pogue says, adding he’s seen a lot of them in his 14 years as a forensic investigator.
“Relying upon your OS to be up-to-date is not a silver bullet, and it never has been,” he says. “So if you haven’t updated your OS, I wouldn’t freak out and say the sky is falling, or that this is the next Y2K.”
What it really comes down to is a business decision, Pogue says.
“It’s another expense. Security isn’t their core competency. Their core competency might be making my chicken, fries, and poutine,” he says.
So if an update to another OS isn’t in the works, Pogue says businesses should protect themselves with strong passwords, properly configured firewalls, good network access controls, and all of the other layers that make up a proper security posture.