Don't let security reach an end-of-life stage, too
February's Node 4 newsletter
- Campus help desk gives tech service with a smile
- Governance decisions
- Dan Bowden: Don't let security reach an end-of-life stage, too
- Marv Hawkins named SPD associate director
- Have your users been compromised? 'Have I Been Pwned' can answer that
- From the inside: A student help desk agent's perspective
- Kudos & Congrats
- UIT's YouTube star marries at Grammys
- Have You Seen It?
- Courses teach hacking, computer security
- CIO's 'five questions' in EDUCAUSE Review
- Calendar
By Dan Bowden, Chief Information Security Officer
All good things must come to an end, the saying goes. While there is certainly room to debate whether Windows XP falls into the “good” category, there’s no denying the second part. Come April, Microsoft will roll out the final patches and security updates and officially put XP to pasture.
For IT professionals, there can be no long goodbye, no wishing for “just one more day.” This is a date for which attackers have long been waiting, and it is our job to make sure that when it comes to our users and our network, the wait has been in vain.
“The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares [them],” wrote Tim Rains, director of Microsoft’s Trustworthy Computing group.
“If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a zero-day vulnerability forever.”
Any machine on the University of Utah’s network still using Windows XP after the end-of-support date must be considered a vulnerability. With systems containing valuable research data; private student, staff, and faculty records; and federally protected health information, there is no margin for error.
The Information Security team is working to inventory all Windows XP devices connected to the network. These will be listed as high-risk devices, and an appropriate plan for replacing them or securing them will be implemented. The ISO team understands there may be some difficulty in transitioning older machines and systems away from XP, and there may be some instances where that just isn’t possible. My team and I are here to help.
If you are aware of any physical machines or VMs on campus still running Windows XP, please take the necessary steps to mitigate risk and migrate them to supported operating systems. If you believe your circumstances do not lend themselves to migrating, please contact Colby Gray with the Information Security Office at colby.gray@utah.edu or 587-1179 so that we may assist you in protecting your data from the inevitable threats to come.
We owe it to ourselves, our users, our departments, and the University of Utah to ensure we provide not just a highly functional network, but a safe one as well.