By Charles Leaver

Varied storage media, Windows XP complicate data loss prevention

Consumer smartphones and tablets, and the bring-your-own-device policies that have fueled their advent in enterprises, are the subjects of growing security and compliance scrutiny. At the same time, they may not paint the full picture of corporate data leakage and compliance vulnerabilities, since many organizations, especially in the healthcare industry, still store information on optical media, PCs and other appliances. Additionally, outmoded hardware running Microsoft Windows XP is becoming a lightning rod for zero-day threats that can compromise the entire network, revealing the wide range of challenges currently facing endpoint management.

Locking down a mix of old and new endpoints
Data breaches are not only costly, but also likely to land healthcare providers in hot water with regulators. A recent incident involving the U.S. Department of Health and Human Services and a third-party records management agency resulted in the latter having to pay $1.2 million after it failed to properly erase data from hard drives.

Reporting on the issue for Lexology, Alaap Shah of the law firm Epstein Becker Green pointed out that companies handling protected health information often do not account for the many different endpoints through which that data passes. Examples may include DVDs, email archives, and hard drives, or seemingly innocuous appliances like the photocopiers at the center of the HHS incident.

If administrators do not implement well-designed endpoint security software that tracks leaks and threats across numerous devices, then simply using a secure claims database as the original storage medium will not matter. Encryption and BYOD policies that wall-off legally protected data from personal effects are also vital measures for protecting it from the many individuals and third-party firms that now have access to that information.

Windows XP complicates endpoint security and control
Old storage media and mobile policies are not the only lingering vulnerabilities. Even as it approaches end-of-life on April 8, 2014, Windows XP remains popular 12 years after its original release, powering many mission-critical endpoints. A VMware survey revealed that 64 percent of large enterprises, and over half of midsize outfits, had not migrated off XP.

Microsoft executive Tim Rains advised anyone still on the operating system to immediately upgrade to at least Windows 7 to avoid falling victim to the near-certain proliferation of threats that the company will not patch.

“After April 8, Windows XP Service Pack 3 customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates,” wrote Rains. “This means that any new vulnerabilities discovered in Windows XP after its end-of-life will not be addressed by new security updates from Microsoft.”

Currently, attackers reverse engineer Windows patches in order to discover exploits. While newer versions may receive more hacker attention due to their growing adoption rates, older platforms like XP are usually vulnerable to the same dangers, since they share the same kernel. Catastrophic zero-day exploits can emerge in this context, and in lieu of timely patching by next year, XP “will essentially have a zero-day vulnerability forever,” stated Rains.

Get the General Here