Wednesday, February 19, 2014

Eulogy to Windows XP

(The following eulogy was written by Sam Marshall from Treca Educational Solutions.  Enjoy!  -K)

 

Many of you may have heard that Windows XP will soon see retirement and no longer receive updates or support from Microsoft.  So let’s take a moment to remember Windows XP:


  • When Windows XP was released on October 25th, 2001, President George W. Bush had not yet completed his first year in office.
  • The minimum amount of RAM to run it was 64MB;  the iPhone 5s comes standard with 1GB which is 16x more powerful
  • When Windows XP was launched there was no Facebook, Twitter, or Pinterest
  • Businesses wanting to install windows XP could prepare 6 FLOPPY DISKS to install the operating system on systems that did not have a CD-ROM drive.
  • By January 2006 over 400 Million copies had been sold.
  • Microsoft Officially ended sales of Windows XP on June 30th 2008 -- over 5 and a half years ago!
  • Microsoft has released 3 newer Operating Systems after Windows XP
  • Even in 2014 Windows XP is being used on nearly 30% of the world’s computers.  Many of these sytems are ATMs, and Point-of-Sale devices.
  • Microsoft will end support of Windows XP on April 8, 2014 (Less than 60 days away)

 

Why should you care?

 

If you, your friends, or your family run Windows XP know that after April 8th these systems should no longer be considered secure. Microsoft will no longer release security patches or updates for Windows XP.  These updates are like vaccines and Microsoft ending support means no more vaccines will be made to keep your system healthy. (note:  Microsoft is offering some level of continued patching suport for businesses, but the pricepoints are punitive.  No such support has been planned for individual consumers to my knowledge)

 

Sadly there are no easy solutions.  The only options available are to update to a new operating system or purchase a new computer if your current one cannot run a newer version

Sunday, February 16, 2014

Blinded (and Bitten) by Compliance

I have remained silent on issues of security as we entered the new year, and many of my readers have asked me why. With the plethora of merchant breaches that hit the news during the holiday seasion, surely I had an opinion (or six) on the topic...so why not share them?  The reason was simple: there were already way too many "experts" and pundits providing comment with minimal information that adding one more voice to the fray would most likely be counterproductive.  The merchants who were breached have been vilified in the press and had their collective competence unfairly questioned by far too many people in far too many venues;  anything I had to say (and much of it would be favorable to my security brethren) would merely add to the noise...and might be subject to misinterpreation by folks hungering for a story.  Still, now that the media drama has subsided and we're into the "what must be done" phase of the crisis, I think its time for me to come up for air.  While I don't wish to continue "making glue" out of well-flogged security issues, there is one area that I believe bears a tad more exploration:  the PCI-DSS and its role within payment security.   

Earlier this month, Bob Russo of the PCI Council formally responded to criticisms  of the PCI-DSS standard in the wake of recent breaches.  Mr. Russo reminded nay-sayers that (a) there is no such thing as a silver bullet; (b) the PCI standard represents an "excellent line of defense" in terms of security; and that (c) it is not the job of the PCI Council to enforce merchant or banking institution security.  In short:  the recent merchant breaches do not represent a failure in the PCI-DSS but rather a breakdown in security controls within the respective institutions.

Hmmm....

I remember working as a CISO in the mid 2000s during the early days of credit card breaches.  I remember watching a couple of television commercials sponsored by all five major credit card brands touting the safety and sanctity of credit cards payments.  Every time I saw one of these commercials I noted to my colleagues that I felt the credit card companies were "running scared" from regulation in light of the then-current state of breaches;  I was curious as to what the card brands would propose to fend off the spectre of further regulatory oversight.  The very next year, PCI-DSS came into being.  More prescriptive and detailed than HIPAA, the PCI-DSS had more teeth than existing federal mandates given the ever-looming possibility of losing the ability to process electronic payments transactions.  During this time, the card brands feverishly campaigned to anyone who would listen about how PCI-DSS would collectively raise the bar in how credit card processes were secured and inject peace of mind back into transactions.

The security community willingly and eagerly jumped onto the compliance bandwagon, touting HIPAA, PCI, and GLBA whenever possible.  "At last," the community said, "we have a useful arrow in our quiver."  Security was either the law of the land or a regulatory requirement for business.  We hitched our programs onto these regulations and laws with reckless abandon, eschewing the nay-sayers (yes, I was one of them) who touted the  regulations yet cautioned that they could become yet another brand of FUD (fear, uncertainty, and doubt) if we linked our programs too closely to them.  Years would pass before we would come to realize that by equating security to compliace we risked watering down our programs to the minimum necessary controls required to obtain a compliant state.  It would be even more years before we recognized that the final determination of legal and/or regulatory sufficiency often did not reside within security but with the offices of the corporate attorney.

At the end of the day, any security professional has to agree with the statements made by Mr. Russo.  Any assessment against regulation is a point-of-time view of an organization, and while the DSS is an excellent standard it mightn't be suffient to ensure security of all critical assets within the envirionment.  Worse, if security controls are not monitored and appropriately enforced then even the most robust ecosystems will beome vulnerable.  In defending the PCI-DSS  and its viability, Mr. Russo has merely restated a tenet that security professionals started saying en masse several years ago:  compliance does not equal security. My minor umbrage, if you will, to Mr. Russo's comments stems from the fact that the security community's late realization of the aforementioned tenet was one of the contributors to the successful marketing of the PCI-DSS as a standard of excellence for security.   

One cannot help, as a community, feeling partially thrown under the "blame bus" by an ally.  

Mr. Russo's interview should hopefully represent a wake-up call for those still focused on compliance instead of security.   Anyone struggling with their leadership to focus on holistic, risk-based security versus compliance should use Mr. Russo's interview as a reminder of the role -- an limits -- of compliance within one's security program.

My two cents...