Three-quarters of organisations still run XP, 64% expect to be attacked

happygeek 2 Tallied Votes 2K Views Share

According to research commissioned by security vendor Bit9 + Carbon Black, nearly half (49%) of the organisations questioned admitted they simply didn't know if their businesses had been compromised or not. This uncertainty regarding cyber-attack detection ability comes in stark contrast to the 32% who confirmed they had been attacked during the previous 12 months and the 64% expecting to be targeted in the next 12 months.

Looking a little closer at the data, when it comes to who might be attacking them, hacktivists on 86% bizarrely came top of the list ahead of cyber-criminals with 77% and disgruntled employees on 61%. If those stats were a little odd, to say the least (hacktivists are the biggest threat to your business, really?) then the ones regarding XP were even more worrying.

Apparently some 74% of the 250 organisations queried were still running machines on Windows XP despite it having reached end-of-life status and the security implications that brings with it. In fact, only 29% of those still running XP had any plans to replace the OS.

One cannot help but wonder if the XP figures are in any way connected to the number of organisations running point-of-sale systems of which less than half were confident they could stop advanced threats or targeted attacks?

hithirdwavedust commented: Oh yes the POS. Hit the nail on the head without a doubt. +0
Reverend Jim 4,678 Hi, I'm Jim, one of DaniWeb's moderators. Moderator Featured Poster

Taken by itself, 64% sounds alarming, but without context it is misleading. Perhaps a similar survey of businesses running Windows 7 would show that 60%, 70% or possibly even 80% also expect to be attacked. Granted, XP is no longer being updated (is that true at the moment for corporate users as well as personal?), but corporations also use other methods of protection such as firewalls, anti-virus, etc., none of which are affected by the ceasing of XP support.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Actually, the 64% stat is all businesses, regardless of OS. The headline refered to the organisations rather than the OS - I just picked the most interesting two stats (IMHO) from the research. Apologies if that led you down the road, not intentional.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

I think the fact that nearly three-quarters of those questioned (and the research was of 250 organisations of 250+ seats size in the UK) said they were still running machines on XP within the enterprise. is surprising. With my consultant hat on I expected it to big a biggish number, but not that big. Of course, what the research isn't saying is that that those enterprises are running solely on XP but rather are still using XP on some of their machines which could explain the size of the statistic.

Slavi 94 Master Poster Featured Poster

Is xp proven to be really vulnerable after the support stopped or is it expected to be within 12 months?

Hiroshe 499 Posting Whiz in Training

"64% expecting to be targeted in the next 12 months."

I'm curious as to how they got that statistic. Do you have a link to the study?

Reverend Jim 4,678 Hi, I'm Jim, one of DaniWeb's moderators. Moderator Featured Poster

Apologies if that led you down the road, not intentional.

If I can read it one of two ways it will usually be the other way.

deceptikon 1,790 Code Sniper Team Colleague Featured Poster

Apologies if that led you down the road, not intentional.

Careful there Davey, we might start thinking you're a disingeunous journalist who's into fearmongering. ;)

Ernieway...

According to research commissioned by security vendor Bit9 + Carbon Black, nearly half (49%) of the organisations questioned admitted they simply didn't know if their businesses had been compromised or not.

I'd be shocked and amazed if this weren't an optimistic stat. From my experience with clients, it's probably closer to 80% or 90%. And unfortunately, I'm including financial, medical, and government organizations. :(

Actually, I switched which bank I use due to both being clients. The previous one scared the living fashizzles out of me with their IT policies (or lack thereof) and the current is vastly more sensible.

Apparently some 74% of the 250 organisations queried were still running machines on Windows XP despite it having reached end-of-life status and the security implications that brings with it. In fact, only 29% of those still running XP had any plans to replace the OS.

I'd be curious to know which organizations didn't plan to upgrade. In the last three years, pretty much everyone I've worked with still using XP had plans (often on the short list) to upgrade to Windows 7. Likewise, 2000 and 2003 boxes are usually on the short list to go to either 2008 R2 or 2012.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

@Hiroshe

The report hasn't been published to the public, so no link. The research was conducted by Vanson Bourne, covered 250 UK IT decision makers working in organisations of at least 250 employees, across an array of industries. The nature of the questioning determines the answers, of course, and if anything I'm surprised that only 64% expected to be targeted. That suggests to me the other 36% are living in cloud cuckooland :) Everyone is a target.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

@deceptikon

James, suggesting a journalist could be disingenuous as in "pretending that one knows less about something than one really does" is scandalous. I have never heard such a thing ;-)

hithirdwavedust commented: Journalism exists to remind us that we live in a world of ice cream and lolipops, and is therefore perfectly forthright and transparent. +0
Tcll 66 Posting Whiz in Training Featured Poster

I'm not alarmed at the fact...
I may not be a business, but I don't intend to upgrade to a RAT infested OS at any point in time... heh

I just want to point out, yes, Win7 has basically a built-in RAT, though it's not clear if it's operable as is...
(if not, updates to 7 would make it operable, which would put your entire business's system in the hands of MS)

now, what part of a RAT infested OS is safer than WinXP??

with the right 3rd-party (non-MS) software, you'll be more secure than 7, and definately more secure than 8.

personally I wouldn't want to put any system I own in the hands of anyone, which is why I use XP.

those business's sticking with XP are smart as long as they use multiple well-trusted professional security softwares.
(one database of virus protection is only as good as 5-15 people working on your compy)
^I currently have 2 databases (Avast and Comodo), though they're free, so I'm not sure if the protection is quality...

mike_2000_17 2,669 21st Century Viking Team Colleague Featured Poster

In my lab, we have several computers that run Windows XP. They are all machines that are tied to a particular piece of hardware that they run, and we cannot upgrade the software to run that specialized hardware, and therefore, we can't upgrade the OS. But my university put in a policy, as soon as XP was decommissioned that they would no longer allow any XP box to connect to the internet. So, all of our XP computers now run on closed networks, or I've set up firewalls to deny them outside access when connected to a network that could reach the internet. This is really the most that I can do, since upgrading is not an option.

I would imagine that many businesses are in a similar situation with some computers (maybe even most computers). So, maybe that statistic is a bit inflated by those companies that "still run machines on Windows XP" but keep them in closed networks. People have a tendency to assume that all PCs / computers are desktop computers that an employee is using to check his emails. Under my desk, I have 3 computers (two on XP, one on QNX, all about 10 years old) that only run hardware, no internet connection. In an engineering place I used to work at, they had several computers dedicated to simulation tasks, again, running old systems and on a closed network. Have you ever seen a modern manufacturing plant? There are desktop computers everywhere, mostly sitting in a corner or next to a robot, just running part of the automated manufacturing process, all on a closed network, of course. In other words, if your business is doing something "special", then you are probably using some old systems for those special purposes, and can't upgrade. I don't know how many of those 74% this could account for, but I think it make a visible difference.

That said, that number is high in a scary way.

khakilang -3 Posting Pro in Training

Aren't those organization have some sort of firewall and filtering server?

greenknight 0 Newbie Poster

Any business with Internet-connected computers should expect to be attacked. That only 64% did was what shocked me.

Tcll 66 Posting Whiz in Training Featured Poster

well to point out, how could you not expect to be attacked,
unless that's the side that shocked you, since 46% is quite a staggering number of ignorant XP-using businesses... >.>

I may not own a business, but heck, even I expect to be attacked in my current state alone... :P

greenknight 0 Newbie Poster

As explained in the 3rd post, the 64% includes all businesses, whatever their OS. Still appalling that so many are comepletely clueless about computer security.

MidiMagic 579 Nearly a Senior Poster

Any time you buy a piece of computer controlled hardware, you are usually frozen to using the operating system it was designed for. An OS upgrade usually causes the hardware to malfunction.

This includes cash registers, laboratory equipment, home control systems, and music studio equipment.

It is time to permanently end this mad rush to upgrade. The only way to do this is to require support for all OS versions for at least 20 years (the length of time of long-term scientific studies).

hithirdwavedust commented: Supporting all OSs for 20 years would merely devolve said OS to an overly contankerous, mind-bogglingly bloated wad of rubbish while hindering pertinent new innovation. +0
Hiroshe 499 Posting Whiz in Training

Any time you buy a piece of computer controlled hardware, you are usually frozen to using the operating system it was designed for. An OS upgrade usually causes the hardware to malfunction.

Perhaps if you buy a peice of computer controlled hardware from a company that how no intention of maintaining said hardware after it's release, or a company that is lazy. not all companies are like that though.

I did setup some (somewhat older) equipment for a home music studio for example, and it all works wondefully. Even some of the outdated drivers fit right in.

But, I've also used some equipment as a geotech. It looked like the software was writting in vb6 by a high school student who didn't put effort into his project, and the company had no intention of updating any of the software. That's just the company being lazy and hireing untrained programmers (it seems this is often common in the scientific and engineering industries).

Luckily, it was very easy to reverse engineer it and write a quick replacement.

hithirdwavedust commented: Very realistic problem-solving attitude +0
MidiMagic 579 Nearly a Senior Poster

This is not a matter of how well the software is written or how well the hardware is designed.

It is a matter that Microsoft does not care that its changes to the OS will cause this equipment to malfunction. Microsoft does what Microsoft wants to do.

Often these problems have to do with changes in the timing of the operating system. When DOS was replaced by Windows, almost all of the old real-time hardware was rendered obsolete. Microsoft changed how the OS used the 55ms jiffy timer:

Under MS-DOS, the OS used maybe one millisecond of computer time, and then immediately handed the processor back to the one user application in use. This was the ideal for hardware data acquisition and control (the only better case was the one operating system I know that completely shut down while the application was running - it had no jiffy counter).

Under Windows 3, the OS took an entire 55ms time slice for its own use. This made all of the hardware designed for MS-DOS obsolete, because such hardware expected the application to have control most of the time. The hardware could be accessed only once every 110 ms under Windows, ruining its usefulness.

The developers of Windows told us to use hardware that puts time stamps on the data, recording in the data packet the exact time the event occurred, so it can be sorted out later. But how do you put a time stamp on an outgoing signal telling the equipment, the experiment subject, or the chemical process that it should have started doing something 39 ms earlier than the time stamped signal went out?

How do you monitor a process and immediately issue a corrective measure if a certain combination of events occur together? You have to wait up to 110ms to get the data, then decode the time stamp, and then wait 55ms more for the operating system to send the output.

Later versions of Windows make this even worse, because many parts of Windows get their own time slices (every one of those processes listed in the Task Manager).

The software and hardware developers cannot foresee what Microsoft will do next, so they can't make their equipment forward-compatible.

mike_2000_17 2,669 21st Century Viking Team Colleague Featured Poster

It is a matter that Microsoft does not care that its changes to the OS will cause this equipment to malfunction. Microsoft does what Microsoft wants to do.

That's right on. The cause of a lot of problems with Windows and across versions of Windows is that Microsoft maintains very relaxed standards (by "standards" I mean actual specifications for their APIs and the OS's exact behavior) and versions of Windows can often vary a lot within those relaxed margins. And to make matters worse, Microsoft often decides to redo their APIs or parts of them, and effectively deprecating the older ones, which they drag around half-heartedly to keep some backward compatibility, which is often leaves a lot to be desired.

If you write very specialized software, you simply cannot write it "correctly" according to Windows' APIs, because their specifications are too vague and leave too much uncertainty. The only option is to assume the most likely behavior, test it to confirm your assumptions on specific versions of Windows, and cross your fingers. If people use your software on a slightly different version of Windows, it probably will work alright most of the time, but it could invalidate your assumptions, and break your software. This is the bane of all Windows software developers and maintainers.

When DOS was replaced by Windows, almost all of the old real-time hardware was rendered obsolete.

DOS was an acceptable substitute for a hard real-time system, but only by virtue of its simplicity (no multi-tasking, or only very crude). Windows is not a hard real-time system, and one cannot and should not create hard real-time software for Windows, period.

For such applications, you need to use a hard real-time operating system such as QNX. I've used QNX in the past, and I use it every day now as well, where there is need to run hard real-time software. An alternative that I have used as well is a minimalistic Linux distribution, which has very low latency, high reliability, and hard real-time features (e.g., truly asynchronous operations) can be emulated with good enough results, for less demanding applications.

There is no point in complaining about Windows' latency problems and general lack of real-time features, because it's not a system designed for these types of applications, and should not be used as such. If you have data acquisition and control hardware that needs to run in the kilo-hertz range, then you need a system like QNX. For low sub-kHz ranges, Windows could be used, but I would recommend Linux instead. And for high kHz or more, you need hardware, like FPGAs or dedicated electronics (i.e., DSP chips).

MidiMagic 579 Nearly a Senior Poster

The laboratory hardware was very expensive, and was originally designed for DOS. The problem is trying to use it today. The equipment still works when isolated from a computer, but there is NOTHING available to run it on today for sequenced experiment control.

Because Microsoft has to change things all the time, several hundred thousand dollars worth of equipment can't be used properly.

hithirdwavedust 0 Newbie Poster

I am having a very difficult time conceptualizing why anyone would want to use Microsoft products for scientific purposes. If a hard realtime system is desired certain conveniences of modern mainstream computing are necessarily sacrificed. What is stopping anyone from building their own specialized OS for their particular scientific purpose? Nothing.

Is there a market for a lifetime warranty OS? Sure there is. Is it possible to actually provide a lifetime warranty OS that can indefinitely remain abreast of new requirements to an open market of users? No. Such a warranty is complete science fiction. Demanding that XP be maintained until everyone is ready to stop using it would be like demanding that Ford motors install airbags in all of their antique vehicles.

Let's be happy that XP has been maintained for as long as it has been and that Microsoft has been open enough to tell us that it is no longer being officially supported. If we need to continue to using it, we will have to take personal responsibility for securing it.

An enormous amount of XP business machines are embedded thin client XP hosts running for the sole purpose of providing an environment for point of sale software. These systems are probably most likely the target of the cyber-criminal element described, being situations where successful attacks present the possibility of economic gains. The most significant force I can see mandating upgrades of those systems would be from credit card service companies, and as far as I know nothing of the sort has happened yet.

Many more XP machines are being used by government agencies, science and engineering firms and assorted other situations where data is in some way very important. These situations are more attractive to 'hactivism', where there is some percieved altruistic gain presented by successful attack. If an organization cannot be held responsible for the safety of their data then what is the incentive to make upgrades before suffering a hypothetical attack? This is a matter of risk assessment hopefully evaluated on a case-by-case basis.

Most folks seem to be pretty satisfied to keep things the way that they are until something goes seriously wrong. There will probably be many business running XP for a long time to come and the only thing that might change that is if some gigantic, irrepairable, highly publicized problem actually happens.

oldmrjim 0 Newbie Poster

The issue is NOT Windows XP. Remember most XP machines are 32 bit machines. The issue is the industry applications that were written for 32 bit machines and will NOT run on Windows 7, such as OPTO. It will NOT run on Windows 7! I am experimenting with a free virtual machine on Windows 7 that may permit 32 bit Win XP apps to run on Win 7, 8, or 10.

Tcll commented: are you forgetting about WinXP x64 +0
MidiMagic 579 Nearly a Senior Poster

I really do not care whose products I get, as long as I can get something that I can keep using for the length of a 20-year study.

We did not choose Microsoft because of its properties. We chose the system the lab equipment was originally designed to work with. In 1990, MS-DOS was quite compatible with the equipment, and they sold us computers to use with the equipment.

At that time, computing was not on its mad rush to changing everything every three years. And the company actually sold the equipment with the promise that it could be used for a 20-year study. The company that sold the equipment had no reason to expect that similar computers would not be available as replacements.

The lab equipment we bought in 1990 still works quite well when manually controlled and visually read, but none of the computers it was designed to work with are still available. All of the computers that were originally bought for the purpose failed within 10 years, including the spares bought to ensure a 20 year study. The 20-year study the equipment was purchased for was ended after 10 years because no replacement computers could be found to do the job of operating the equipment.

What happened to that 20-year promise the vendor made? When Microsoft started changing the operating system every 3 years, the company could not keep up. It went out of business.

Now the real question is, how can anyone doing any long-term science buy the computer-controlled equipment needed for a 20-year study and expect to still be using it at the end of the 20 years? One of the rules of any long-term study is that the same equipment (or identical replacement equipment) must be used throughout the study.

How did we do it in the days before PCs? The equipment used to be self-contained. Electro-mechanical timing devices, electronic event-detection circuits, and motorized camshafts were used to control the sequencing of the experiment. But when PCs appeared, lab equipment manufacturers stopped making that kind of equipment. And scientists, used to being able to instantly key in values to change the parameters of an experiment in the DOS era, don't want to go back to the rigidity of changing timing gears in the old systems.

I guess some kinds of science will no longer be done, because there is not enough market for businesses to supply what is needed to do it.

hithirdwavedust commented: I can see how this would be really obnoxious. Here's how to do it in the future: Use your 'replacement computers as 'stand-ins' so that every few months a computer that has been working fine can be swapped out for cleaning, maintenance and diagnostics. +0
Tcll 66 Posting Whiz in Training Featured Poster

Demanding that XP be maintained until everyone is ready to stop using it would be like demanding that Ford motors install airbags in all of their antique vehicles.

no it's not, you could say that if the argument was to install Win7 on Pentium II 400MHz compys, where your airbag would be Win7.

Let's be happy that XP has been maintained for as long as it has been and that Microsoft has been open enough to tell us that it is no longer being officially supported.

How bout nooooooo!
considering how MS is trying to control the market and their users.
(they'll have full control once all marketters upgrade to at least Win Vista)

hope you like MS controlling what marketters can sell.

they also have a button for controlling what software you can install.

If we need to continue to using it, we will have to take personal responsibility for securing it.

at least I can agree with this.

Vista and up does have more secure interfaces, but MS's form of control kindof defeats that purpose, making the newer OS's alot less secure.
(once hackers figure out how to control the MS control interfaces and start controlling everyone)

yet everyone still continues to ignore my warnings because you can't find this anywhere on the net... 9_9

I'm a hacker people, but I don't do the kinds of things the black-hats do.
(you could tell me your bank account information, and I wouldn't even care, I'd never use it as I have no interest in money.)

Many more XP machines are being used by government agencies, science and engineering firms and assorted other situations where data is in some way very important.

now imagine MS with that control.

for what purpose is MS trying to control everything and everyone?
that has yet to reveal itself.

I don't feel safe knowing MS is getting the control they want.
(this also goes for the gov't having counter-control over everyone's personal lives)
^ this may only be good for marketing.

oh god! D:
gov't putting a price on what you put, or are allowed to put on your computer.
let's hope that never happens!
(this was only an idea, not anything talked about.)

I don't ever want to fall in the line to allow that to happen.
_

if you want something safe, Linux is really good, specifically Ubuntu.

I made a mistake of installing Zorin which has alot of useful features removed...
after upgrading to Ubuntu14, I'm still fixing support issues, and still don't have hibernate.
_

paired with Wine, Linux has the support to run most windows programs.
no version of windows has the support to run all of the programs Wine can run.

and to top it off, because you're running linux, of course you even have support for linux programs.

I'd say that's 2/3rds of support MS doesn't have.
_

The only downside to linux...
You NEED technical knowledge as I havn't seen a linux dev work for noobs as of yet.
(everything is expected to be handled via the terminal rather than a GUI)
_

that computer salesman I argued with a while back says linux has a problem with Flash...
the only problem I'm having is with SWF files...
I havn't had any problems with the flash content I've allowed to display in web pages.

EDIT:
I still continue to use WinXP as a testing platform.
I don't care if everyone switches, I don't support bad technology.

if my program doesn't work on your windows, that's your fault for using bad technology.

quote from another forum:

aren't programmers supposed to evolve with the media they are working on?

this is BS
use some common sence people and learn what's right and what's wrong.

hithirdwavedust commented: As much as I appreciate people whom have the gusto to disagree, very little of this post makes sense. +0
MidiMagic 579 Nearly a Senior Poster

Demanding that XP be maintained until everyone is ready to stop using it would be like demanding that Ford motors install airbags in all of their antique vehicles.

It's more like they replaced the road with railroad track, so the old equipment can't use it.

All of that point-of sale equipment was built with a minimal 32 bit on-board dedicated computer that can run XP, but is too small for Vista, 7, 8, or 10. It might even be made with the OS in ROM, as some older equipment was made.

---

Another problem is that the normal development time for hardware and software for equipment run by a computer is longer than the time between successive Windows releases.

I have some software designed for Windows 3 (and a computer saved to run just this one piece of software). I actually got a letter from the company telling me why they were going out of business and why there would be no more updates and bug fixes.

They said that they were still developing the release to run on Windows 95 when Microsoft announced Windows 98 (then called Windows 97). The Windows 3 software would not run on Windows 95, and neither version would run on Windows 97. They each required entirely different hardware and software to work at the speed needed to make the application actually work in real time.

They said that they could not possibly develop updates to the hardware and software at the speed that Microsoft is releasing new versions of Windows. That is why they went out of business.

Windows XP was around long enough for developers to create software-hardware combinations for it. I bought some.

Again, I am hit with the same problem. The company was still developing new equipment and software for Vista and 7 when 8 came out. Again, the company went out of business because it could not produce releases for the current Windows versions while they were still current.

It is impossible for developers to come out with new equipment, software, and updates fast enough to keep up with Microsoft's mad pace.

Now all sales and updates for Microsoft Vista, 7, and 8 have been ended by Microsoft. Microsoft is destroying all possibilities for real-time programs.

Tcll commented: it's that stupid high-resource Aero interface MS wants to use to control everyone. +3
johnruelle 2 Newbie Poster

I still use XP. I would really appreciate it if someone could make a comment on how reliable a good router is in protecting my network. From my studies on routers, they can provide good protection if properly set up.

thanks

Tcll 66 Posting Whiz in Training Featured Poster

I still use XP. I would really appreciate it if someone could make a comment on how reliable a good router is in protecting my network. From my studies on routers, they can provide good protection if properly set up.

thanks

just to let you know, your comment is not ignored ;)

I personally have no experience with safe routers as I hadn't thought any of there were safe...

that said, I'm a nice guy who likes to host open networks for others,
however, I now brutally monitor my network traffic to watch for hackers.
(when I'm hosting anyways)

I had a bad experience back when I tried connecting to a local network and got a rootkit "ZeroAccess" from it... (jsyk this was the first successful network connection)
I had to reinstall because it completely broke the TCPIP interface

Slavi 94 Master Poster Featured Poster

Protection in what way? As in communication to the router? Most routers now AES to encrypt the data, making it for hackers difficult to intercept(Man in the middle attack). If other encrypting algorithm is suggested, I'd advice you just leave it as suggested and go for AES, as thats the standard currently and the best known attacks on it are still practically "impossible". Another issue might be the security protocol used by the routers, the known ones are WEP, WPA and WPA2. WEP has been known to be broken for many many years, I think the world record for breaking it and getting the password to the router is about 7 seconds. WPA was released "quickly" to change WEP, however some flaws were found in it and WPA2 was released fixing those, therefore for security protocol of your wireless router, it is recommended using WPA2.

However, there is something called quick set up, known as WPS, which gives an easy connection to a device that has physical access to a router, as you can just enter a PIN to connect to the router. The problem is that the PIN can be brute forced easily .. there was another problem with the PIN itself which made it possible to brute force WPS in less than 3 hours(3 to 4 hours is average time to break WPS). So I highly recommend you, shutting off WPS option on your router if it is available.

With this said, I am using a TP-link router, 300 mbps bandwidth and I am satisfied with it, only problem I have is that it is vulnerable to WPS(In some routers it works even if its switched off, although I've heard about some firmwares being released to completely disable it but haven't done it myself)

I hope this helped you in anyway, if you have further questions, do not hesitate to post them on DaniWeb

MidiMagic 579 Nearly a Senior Poster

Guess what? The IRS is still using XP, because the development time for a new system is longer than the Windows versions have stayed around.

It should be illegal to discontinue system software just for the purpose of avoiding all of the wasted tax dollars caused by these constant upgrade demands by Microsoft.

Tcll commented: fully agreed, they should rather work on cleaning up support with updates, support both WinAPI AND Aero to it's fullest, and knock out issues where possible. +3
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.