Sunday, November 2, 2014

It's been a busy October but it is over!

So on top of the regular work activity, I have been trying to put together an active security meetup here in the great state of Connecticut.  Doing that and helping the wife put together our annual Halloween party, has certainly sucked away some vital blog writing time.  But the holiday is over and the next couple are usually pretty tame so back to the keyboard!

So like I said, I have been working on getting some of the security pros in the state out of their corporate offices and into the laid back setting of a meetup.  We had one decent meetup so far and I am planning on finishing out the year with at least 2 more.  I will also be moving many of my security related posts over to the new meetup site - NutmegInfoSec.com.  Along with the main site, we have a meetup group too.  So if you are in the CT area and you want to share your experience with others, feel free to check us out.  We meet once a month, currently at NESIT Hackerspace in Meriden.  We try to have a couple people do short presentations on topics of interest that vary from the typical hackery of pen testing, to defensive strategies as well.  You can also follow us on Twitter @NutmegInfoSec.

So that is all for now, I should have something techie up in a couple days, going to do a short write up on the Ubiquity UniFi Access Point and if you head over to NutmegInfoSec, there will be a brief post about building your own Tor router using a Raspberry Pi.


Saturday, September 13, 2014

Good on you Microsoft!

So as I began writing this, I sit and stare at my other computer "preparing" to configure Windows after the latest batch of Microsoft updates have been installed.  But I won't let that bother me as it hasn't blue screened...

So in a recent ZDNET article, Microsoft is being held in contempt-of-court for not handing over data, that is stored on servers in Ireland, to US Federal Prosecutors despite a warrant.  So those of us who have worked for/with companies that have an international present, in particularly within the EU, know that it isn't a simple matter of saying "oh we own the servers, so we have the final say in what we do with that data..."  Fortunately/Unfortunately (depending how you look at it), the EU privacy laws are much stronger than most other countries.  So the fortunate part of this is that it puts our wonderful "World Police" mentality into check.  People need to play nice around here, so if a foreign government is willing to work with us on something, then cool.  If not, guess you need to go a different route in the prosecution.

So if Microsoft said, "Sure buddy!  here you go, all the foreign internetz!"  Then they risk breaking the law in the foreign country.  So damned if you do, damned if you don't.  I once had to do some forensic work on a system in another country.  That branch of the company needed to have their export folks and the privacy law dogs review the system before allowing me to take a forensic image.  Even though we were the parent company, we still had to allow them to approve it.  So it is a sticky matter when dealing with these situations.  The "Unfortunate" part of all this is if one is doing a forensics investigation on something critical like a targeted attack, well time is everything!  Lawyer types are not known for their speedy response on a decision.

So what are your thoughts?  I'd be interested in hearing them.

Wednesday, September 10, 2014

It's Always the User's Fault...

Throughout our career as Information Technology/Security professionals, we have, at one point or another, blamed a user for the problem.  Granted there are some pretty good cases out there where it certainly is their fault; for example, using the CD tray as a coffee cup holder, or spilling soda in the keyboard then denying that they did it, and maybe attempting to fix the problem themselves and only making it worse.  Seriously, one time I was working for University and I had to come up and check on a staff member's computer.  I look at it and see a bunch of the power cables hanging out of the case.  I look at them and ask if they attempted to fix it themselves, and they straight up denied it.  So yeah we like to blame them for most, if not all of the problems.  In Security we are no better.

The debate is a hot one these past few weeks in lieu of the latest series of breaches, in particular the celebrity photos being leaked.  Now our first two comments on the matter are usually "You shouldn't take nude photos of yourself with your phone if you don't want it on the internet..." and "Why are you not using strong passwords!!?!?!?!"  To those of us in security, these things are just common sense.  For those not in this particular industry, they put trust in us to secure a system so they don't have to worry about such things.  This is a pretty logical assumption from someone NOT in the security profession.  But we all no better, don't we?  Contrary to popular belief, this is something that was not instantly built into our DNA.  It took years of experience to make us hardened pessimists of all things tech.  We have seen what happens when things don't work right.  We have worked for companies who have cut corners on a product just to get it out the door.  We all know security is looked upon as a cost center, not a revenue driver.  So if it comes down to making a product so simple to use that even the likes of the Kardashians can figure it out, then sometimes security is tossed out.

Can you make things extremely functional without skimping on security?  Certainly!  Is it easy?  Hell no!  But then if it was, many of us would not have jobs.  So how do we fix this?  After all it is a growing problem that doesn't seem to get better despite everything we tweet and post about.  I think first, the main stream media just needs to stop... seriously, they are horrible at covering these types of news stories.  Rather they need to get more REAL experts to comment and offer sensible recommendations.  The larger news outlets are getting better at it by bringing folks in like Dave Kennedy (Trusted Sec) or tapping Dan Kaminski.  But the smaller stations are really not there.  So if you know folks at your local news organizations, reach out to them and let them know you have the answers!  As for the companies who make these products, well the only way we can help is by taking on the difficult position of working for them and making things right.  Then again, they have to be willing to compensate such positions appropriately.

Ok, I think that is it.  Guess I'll shut up for now.  I have some letters to write to my local news outlets!


Story of an IT Pro: Volume 2 "The Choice"

If you haven't read Volume 1 "The Beginning", check it out now.

So fast forward from that time where I worked in K-12.  I had worked for the school system for a little over 4 years and it was time to move on.  For those that have been in IT for a while, you know that the jobs can get stale which can cause you to burn out.  I was there and it was time to go.  I took a job with a consulting company which offered a nice pay increase as well as possible training opportunities (later I found this to be exaggerated a bit).  The job was a love/like/hate relationship.  I loved the amount of experience I was getting from all the different environments and systems.  I loved that I had people above me that had much more knowledge than I did on a number of related topics.  I liked most of the people I worked with.  I hated the travel.  Now I had an idea that I would be on the road a bit more than a normal 9-5 with a standard commute, but it does drain you and can cause you to make some poor decisions in handling your job.  Now that being said, I still would not have traded that experience.  I think 5 years doing the same job in IT is a pretty good run.  Will I ever take on a job like this again? Certainly not, but I would still recommend that if you are new to the industry, a consulting job will be your best bet to gain a significant amount of experience.  Just do your research on the company before hand.  That is all I will say on the matter in this post.  I may right something in the future on the topic.

Back to the story... So I was getting burned out and InfoSec was just starting to become a hot topic, at least in my world.  We had one guy in the company that held a strong interest in the art of penetration testing.  Sadly, at this time, there was little call for it.  We mainly did vulnerability assessments since no one wanted to pay for the full penetration test and/or risk having their systems down if we succeeded in the test.  This field of study fascinated me.  So I began doing some heavy research in the topic.  I provisioned some systems in my home lab to play with and started using twitter so I can follow some pros.  I filled my iPhone with all sorts of security podcasts.  I was really into it.  After I learned that with good security, one can eliminate a number of the small day-to-day fires that Sys Admins have to deal with, I made a choice to pursue this as a career.  So I updated my professional development plan and let my manager know this is what I want to do.  And shortly after that, the lead engineer for Security Services gave his notice.  Well I still tried to take on more security related tasks but eventually, it was time to look for something new.

Remember that thing about burning out?  Due to a couple bad calls on my part, it was decided that the company and I were no longer a good fit.  I was able to take a nice semi-paid 3 week vacation before going back to consulting.  I took a job with another consulting company to pay the bills.  But it was not the job I was looking for.  If it wasn't clear, the choice I made was to pursue a career in Information Security.  I really didn't know what that meant exactly.  I did know what I didn't want to do, and that was to have to troubleshoot printer issues forever.  So I was determined to find the job that would support my new goals.  I wanted to find things before they became problems.  I wanted to prevent the common day-to-day fires caused by improper anti-virus software installs and poorly configured firewalls.  During that short stint with that other consulting company, I was presented an opportunity to take on a Security Administrator role in a local not-for-profit insurance company.  So I jumped at!  You have to do what is good for you.  So you find that new job, write your resignation letter, and part ways...

Continued in Volume 3: Career Advice

Monday, September 1, 2014

Story of an IT Pro: Volume 1 "The Beginning"

So this may or may not turn into a series of posts.  But just in case, let this be the first of that series.  15 years ago when I got into this business, I didn't really think I quite understood just how many different types of jobs existed out there in IT.  I mean, sure, I knew about the help desk and repair jobs (which is where I started).  I also new about the System Admins and Network/Tel-co groups.  And of course there were the developers.  At the time those were the folks I would curse out on a regular basis for their "crappy app that we were forced to use".   One more note about my past, I was a late bloomer to computers.  I didn't really get into them until college.  Sure we had one in the house  before the days of AOL, but mostly it was a glorified word processor with a couple of games.  We would occasionally use a modem (14.4 kbps baby!) and connect up to the various Bulletin Boards to download the Jolly Roger Cookbook and learn to make all sorts of things; which today would get us on a Terrorist Watch List.

I've always been decent at using tech and gadgets but never really thought of making it career.  I wanted to do something that would allow me to work outside.  Let's see in Kindergarten I was asked what I wanted to be when I grew up...  Raiders of the Lost Ark had just come out and I was fascinated with the adventures of Indiana Jones.  So naturally my answer was "Archaeologist!" (probably one of the hardest words I had to spell in Kindergarten).  Of course after I learned that you don't get to carry around a bull whip, sport a cool leather satchel, and shoot evil swordsman in the head, I pretty much lost interest in that.  Towards the end of high school I decided something in the environmental studies field would be fun, National Park ranger to be more specific.  Unfortunately Chem 100 in college sent me off that path and into Business, most specifically Management Information Systems.

VAX 11/780
Courtesy of
http://en.wikipedia.org/wiki/VAX
By then, though, I had already explored my way  around the University VAX system and I even took a job
int he Information Systems Computer Repair department.  Apparently I was a natural at this type of work.  The initial job was for an installer, which consisted of bringing a computer to an office and plugging it all in.  Configuration was either done before or after it was installed.  Of course I had to at least make sure it powered up and could access the network.  I did this job for about 2 weeks before I was promoted to a repair tech after discovering a network issue in one of the buildings and troubleshooting it down to a bad port in the network closet with the assistance from the Tel-co folks.  After that I had a number of different challenges which got me noticed by the Systems office.  I was promoted to a position with the guys who basically controlled the access to the network and all the systems that ran on it.  The new boss continued to challenge me with a number of tasks from migrating the university staff from the VAX email to Microsoft Exchange 5.5, to creating a back-end database and query for user look-ups so people can verify who they were before resetting a forgotten password.  By this time the only programming I had done was in the MIS Intro to Programming course.  So this was certainly one of my toughest projects.  I worked on that part and another MIS student created the front-end app the Computer lab used to let students change their passwords.  I also re-purposed the app so the help desk could verify staff when they called in.  In hindsight, I should have kept learning more about the developer side of IT back then, considering what I do now.

Eventually I had to start prepping for the real world.  Luckily I had a good amount of experience from working at the university.  I was able to take a Co-operative education job doing Systems Admin work in a Novell/Windows environment (with a little bit of Lotus Notes thrown in for good measure), which then lead me back the education world managing the network and systems for a K-12 environment.  So this is all leading somewhere, honest!  Make a note of the comment I made about developers earlier in the story...

Continue in Volume 2 - "The Decision"

Saturday, August 2, 2014

The Value of a Masters Degree in InfoSec

I was up extra early this morning and decided to comb through the twitters.  I came across a tweet from Troy Hunt asking our opinion for a comment made on one of his blog posts:
So of course I had to see for my own eyes.  I suggest you should to...  right now, I'll wait...  Done?  Good, now this is the sort of thing that just makes me sad for the future of InfoSec.  Do I think Master's degrees are good?  Sure, any education is usually not bad.  It makes us all a little more knowledgeable, and sparks new ideas.  That is, of course,  if we already have a bit of experience in our field of study.

So most of us in the profession have probably obtained at least a BS in some Computer Science or Information Systems degree.  We then worked to get an internship and eventually some job in our field of study.  Somewhere down the line we learned a whole lot about how to break stuff as well as fix said broken stuff.  And after many long nights of figuring out why MS Exchange decided to throw up all over the datacenter, we got good at our job.  So good, we figured out how to prevent others from breaking our stuff.  After years begging management to give us more budget, or recommending to customers to implement new security measures, we decided to move on (that is a story all its own).

Somewhere in during our early careers,  we decided to build our own home labs using spare parts or inexpensive E-bay hardware.  We did this because, like most other important things, training wasn't in the budget.  So we stood up our own Exchange servers or Web servers in order to prepare for inevitable migrations.  Then we discovered other benefits of these labs. We could break things here and no one cares.  So we did it on purpose and learned that we could make the computers and software due our bidding.  Now, in the age of the breach, we are being paid pretty well to break stuff for a living.  Hell those same managers and customers from before are now paying us double or triple our previous salaries, just to tell them the same things we told them 15 years ago.

But there is a reason for that, we know what we are talking about.  We have always worked to educate ourselves on our profession (and sometimes hobby).  This means we studied on our own time, sometimes took training on our own dime, and kept up on the cyber crime (I couldn't resist).  We take jobs to keep the mortgage/rent paid (my last job).  And sometimes we get lucky and fall into something awesome (my current job) that allows us to possibly shape the future in our field. Do I get to do everything I want right now at work?  No, but that is OK.  I am working in technologies that I never thought I would 15 years ago.  We adapt to the situations that we find ourselves in.  That is what makes us good at our jobs.

Now back to this guy asking about SQLi when going for a Masters in Cyber Security...  So I was poking around at some local programs here in Connecticut.  Sacred Heart University (SHU) has one such program.  Besides the obvious  requirement of a bachelor's degree, you need to have taken CS 504 Intro to Programming Using Scripting, and CS 505 or 339 Computer Networks.  You can view the full outline here.  Now granted those pre-reqs are not bad.  CS 504 teaches you about Python, Perl, Ruby, etc... And CS 505 teaches you about networking, which is pretty valuable knowledge. Then you get thrown into things like digital forensics, Crypto, Securing the Cloud, Vulnerability Management...  You have the link, you can look at the rest.   My point is, by the time you decided to go for a Masters, hopefully you have been working a little in the related field.  Information Technology, as well as Information Security, is not a profession you go into just for the paycheck.  Granted it is a very nice bonus, but to succeed here, you need to keep sharp!  If you are wondering what SQLi is all about?  Go download one of the many vulnerable web app distros and find out!  Go to Security Tube and watch videos on the topic.  There are a ton of resources out on the web that will help you to your goal.  Google is the InfoSec Pro's best tool as well as some type of desktop virtualization platform like VirtualBox or VMware Player (both free).

So why does this irk me so much, well I feel that these programs will create a pool of very useless managers.  They may know all the buzz words, but not have any real life experience with it.  It takes years to build a solid base on just regular IT material.  If you have never stood up your own mini-datacenter, or wrote an advanced web or desktop application, then you will never truly understand the topics in InfoSec.  There are over 94000 holders of the CISSP in the world.  Of those that I have met, only a very small fraction actually know, and have applied the controls covered in the certification.  The rest got it because their company said they had to, and bought up all the seats in the class.  Over the next few years we will probably see a similar growth spurt of newly decorated "Masters" of Cyber Security.  If they are of the caliber seen in Troy's blob post, then I am just going to stop all this and become hermit.  Or move somewhere tropical and spend my remaining days on the beach.

Well that is enough ranting for a Saturday, need to get back to loading up the newest addition to the home lab and break stuff!

Friday, June 27, 2014

The Cinnamon Snot Ball

So here is a quickie as I stare at the BrainDrool time line and realize I have been slacking...

I am an avid coffee lover.  If you recall one of my first posts, I wrote about reducing your caloric intake with changes made to your morning coffee in my post simply titled "Coffee..." I mentioned in the post that I enjoy adding cinnamon for both flavor and the health benefits.  At that time I didn't think I would be searching the internet for "Snot ball in my coffee" but here I am now writing about it.

So this is not new apparently.  Some ladies did an experiment on the phenomenon a couple years ago, you can get all the details on the blog post.  It's a pretty good experiment.  So there I am one day, getting down to the last drop of my coffee.  I take a nice big swig of it and suddenly my mouth is full of a big snot-like entity.  Luckily I have a pretty strong tolerance for gross stuff which let me keep it contained until I can get to the sink.  This was in part due to it not tasting bad.  My first thought was that the milk was bad and caused this beast to grow in my coffee.   I unleashed it into the sink and it was not pretty.  A slimy mess of cinnamon and remnants of coffee made its way to the drain.  After verifying the milk was good, I decided to avoid cinnamon for the next couple days.  And my suspicions were correct, no snot monster in my coffee.  After some searching on the internet, I found that this may occur with cinnamon.  It doesn't appear to be harmful and the less cinnamon used, the smaller the blob.  Different brands may also produce different results.  Some suggest to brew the coffee with cinnamon mixed in the grounds, unfortunately that isn't easily done with k-cups.  I suppose you can use the reusable cups that you use with your own coffee, but those are terrible.

So the next time you throw cinnamon in your coffee, just be aware that you may be greeted with an unpleasant surprise.  It won't kill you but it may cause you to hurl if you have a weak stomach!

Wednesday, April 30, 2014

Keeping Your Hyper-V Environment Patched

In the last post I covered a brief overview of Hyper-V vs ESXi.  Today I will share with you my experiences in keeping this environment patched.  Hold onto your seats, this is going to be a wild ride...

So before I go further, I would like to send you over to the following blog - http://windowsitpro.com/hyper-v/easily-maintain-hyper-v-template-image.  John Savill writes up the process pretty well.  His example hints at just doing this in Hyper-V and excludes mention of SCVMM.  This isn't too far off though since, even with SCVMM, performing certain tasks on either the Hyper-V host or the Hyper-V manager app is still much easier than trying to do it in SCVMM.  Also I found that even with the Hyper-V Management feature installed on SCVMM, the powershell modules still don't work correctly.  At Step 6, make sure you choose the Generalize option for SYSPREP.  This will make it so the image can be used by SCVMM during the Create Virtual Machine from template.  Otherwise you will get a big ol' error during a build.  Step 8 I ran from the Hyper-V host as it was just easier to keep everything local.  Once the export completed, I copied the file over to the SCVMM Library server directory so it can be connected to the Template Image.  Once that is all set, you should be good to go for building more updated VMs.  It would be best to incorporate this into your patch management process and perform this on a monthly basis.  I'm sure if you are smarter than I, you can automate much of this process.  I am also sure this is documented somewhere in some Technet blog but probably requires that you are using System Center for patching rather than WSUS.

The next post I will have up some steps to easily deploy a VM from template through a script...

Hyper-V and SCVMM not quite ESXi and vCenter

I am a huge fan of virtualization technologies.  I started my days in NT 4.0 and when Virtual PC was released I jumped at the ability to run multiple operating systems without needing to dual boot.  Years later I was able to experience VMware's virtualization platforms.  It wasn't just booting multiple systems is was streamlining the patching process, moving systems to other physical resources without batting an eye, and even moving them across datacenters to take advantage of off-peak utility rates.  Virtualization has allowed companies such as Amazon, Netflix, and Google to grow into what they are today.  And it has allowed much smaller companies the ability to run enterprise class environments without having to take up real estate in their small server room.  2-3 physical servers could be 20+ virtual servers.

This may or may not be a series of posts related to virtualization, we will see.  But for now it will be some nifty tips and tricks to help you get through using Hyper-V and SCVMM.  For those who don't know, Hyper-V is the evolution of Microsoft's Virtual PC/Server.  It is the hypervisor which is currently in use in their data centers and online service platforms.  From a small business or startup's perspective, it is a very inexpensive way to build your new server infrastructure since Microsoft has a few licensing programs that cater to the small budgets of these types of businesses.  So naturally it makes sense to utilize Hyper-V over VMware's ESXi.

"But isn't ESXi free?"  Glad you asked, yes it is and so is Hyper-V.  Earlier this year Microsoft released Hyper-V Server 2012 R2.  This is their free version of Windows Server 2012 w/ Hyper-V.  Provided you have proper licensing, you can install your Windows VMs on this with no additional cost.  There are some hardware limitations but I won't get into that at the moment.  But this is only for their standalone products.  Managing those systems is a different story.

Here is where the expense comes in (aside from the hardware costs)...  You can install as many virtual machines as your physical host(s) can support.  But to manage all these hosts and support a proper virtual infrastructure, you need the management server.  In VMware's case, this is vCenter.  In the Hyper-V world it is Microsoft System Center Virtual Machine Manager (SCVMM).  I may cover what one has to go through to get this thing running in another post later on.  It was a bit more difficult than getting vCenter running.  The requirements are not all that different, but the implementation is a bit more time consuming.  For example, it is recommended that a separate SQL Database Server be used for storing the Hyper-V information.  You can use the same server, but SCVMM will not install SQL for you.

So to wrap this bit up...  If you are a budding business and need to keep your costs low, going the Microsoft route may save you some money with their small business and startup programs.  There is nothing wrong with that.  If you find you like using Hyper-V, moving it to a more enterprise class environment would not be too difficult.  If you grow to where you can afford VMware, then migrating from Hyper-V should not be too difficult.  You would just convert them using the VMware vSphere converter and do them as physical machines.  Sadly going VMware to Hyper-V is not as easy.  You would need to stand up SCVMM first and incorporate your vCenter server in the mix.  Then you would need to use the MS converter which may or may not work.  I've seen mixed success with it.

In the next post I will cover some tricks about keeping your Hyper-V templates updated...

Tuesday, January 21, 2014

So you got a new computer, what's with all these tiles!?!?

Default new user "Metro" screen for Windows 8.1 
As the expiration of support for XP looms, many people out there are getting new computers, laptops, and even tablets.  If you have been an avid user of XP or Windows 7, then getting that first Windows 8 system is going to be a bit of a shock.  As you can see from the left, that is essentially your "Start Menu."  It is loaded up with all sorts of apps right?  So most of those tikes are actually just internet feed apps.  The tile screen was really designed for touch enabled devices.  My first recommendation for someone asking about a new computer, is to get one with a touch enabled screen.  This will make your Windows 8 experience a much more positive one.  The next thing you can do is clean up the tiles.  Right clicking a tile will cause a selection mode to come up.  You can right click on each tile you would like to "unpin" and select "Unpin from Start."


The next thing you will want to do is upgrade (if it didn't come installed) to Windows 8.1.  This a free update from Microsoft through their app store (yes they have one too now).  They have a nice step-by-step tutorial here.  This will add some more familiar functionality to the Tile screen and the Desktop.  For example to access applications like the Control Panel, Paint, or Notepad, you can now click on the arrow at the lower left corner of the Tile screen.  From here you can right click any of the list applications and add them to both the task bar on the desktop screen or as a Tile on the Tile screen.    The other navigation issue is the implementation of hot edges.  I would say corners, but in most cases hovering the mouse cursor over any of the edges on the tile screen and desktop may produce an option to switch from that current screen.  Most new systems will run you through a quick tutorial with instructions on what to do near each of these hot edges.  If you are purchasing from a store, I would recommend having the sales person walk you through the changes in Windows 8 from the earlier Windows versions.

Now why did I recommend getting something with a touch enabled screen?  Well besides the fact that the the "LabTab" or "TabTop" (or whatever you want to call it) is making a come back, Windows 8 is designed for this type of device.  It is meant to be interacted with through a touch screen using your hands.  Swiping and scrolling works much smoother this way.  My wife just recently picked up a Surface Pro, so I was able to play a bit more with the touch features.  It is a bit different using your hands and the stylus than the mouse.  Right clicking changes to a click-and-hold method.  So you click on an icon, selection, or whatever, hold until you see the circle appear, then let go.  You will then see the context menu.  If you have a jittery hand, this can get pretty frustrating and you might switch to dragging icons and tiles all over the place, rather than pulling up the context menu.  The normal navigation around the tablet environment still feels much more natural using your hands as opposed to the mouse.  Another cool feature that is present due to the stylus being added is the handwriting-to-text.  If the new interface is still a bit confusing, then check out their "Help + Tips" app for some visual instructions.

All-in-all it is not a terrible operating system.  From a security standpoint it adds a number of improvements that were not native to Windows 7 and almost non-existent in Windows XP.  The Surface has some nice features as well.  The Stylus is pretty useful, it can also attach on the magsafe power connector (when you are not charging the device).  It has a full size USB port and Micro SD slot.  These come in handy for attaching additional storage.  It also has an external mini-display port in case you want to connect it up too a secondary display.  The only major drawback to the Surface Pro is the limited hard drive size (128GB).  It seems like a lot, but if you are switching from a more full size laptop with a 500GB+ drive, then you may have some issues moving some of your larger files over.

So there you have it, Windows 8 in a nutshell, you even got a bonus mini Surface Pro review.  As always feel free to leave any comments or questions.  Change does suck at times but a little patience and a lot of googling, can help you through the transition.  It also helps if you are married to or dating an IT guy/gal.

Wednesday, January 15, 2014

Supporting the Unsupported

http://countingdownto.com/countdown/143839
So the day is coming closer and closer when Microsoft will finally hit the delete button on support for Windows XP and Office 2003.  This means no more updates of any kind.  They are also ending support for Microsoft Security Essentials on XP.  That is Microsoft's free consumer Anti-Virus product.  So what does this mean?

For the home user, there is a pretty simple solution.  If you are still using a computer that is running Windows XP, then it is probably about time to get a new computer.  XP was released to computer manufacturers on August 24, 2001.  Microsoft continued supplying it to system builders through 2009.  So chances are you own a computer that could be anywhere from 4-12 years old. So high time to upgrade wouldn't you say?  Since I am the only IT guy in my family I get all the questions about why a computer is slow or why something isn't working.  If the system is 5 yrs old or greater I will recommend they just get a new system.  Certain things can probably be easily replaced but it will only be a matter of time before the next thing goes.  Eventually the motherboard is next.  Once that goes, you are pretty much getting a new system.  So if you are a home user and still have XP, you may want to update your budget for a new computer in the coming months.  While you are at it, you may also want to make sure you have been backing up your data and that it can easily be restored to a new system.  Unfortunately transitioning off XP to Windows 8 will be a bit of a shock, but it can be done.  I will cover that in another post soon.

For a business, it is a different story.  Many larger enterprises have been working on transitioning off XP for the last couple years.  At this time if you haven't been planning this transition, then you will need to consider some things when April hits.  You will need to determine how many systems are still going to be living on your network at that time and the risks associated with that.  No more security updates means that there is a very good possibility that we will see a huge increase in the number of 0-days released for XP and Office 2003.  So if you still have a need for these products on your network, you may want to consider isolating them off from your critical systems.  You will also need to make sure your security vendors will continue to support them until you can have them decommissioned.  If you can't isolate the physical systems, consider migrating them to Virtual systems that run in a more isolated fashion.  For example, if you have specific users such as Engineers who need legacy software support, consider getting them newer Windows 7/8 systems.  Install a virtualization platform and do a physical-to-virtual migration (P2V) of that legacy XP system.  Change the networking to NAT or Host Only, and test to ensure that their software still functions.  Chances are that if you haven't moved off XP then you probably don't have some of the more advanced security infrastructure in place such as Network Access Control (NAC).  A NAC system can assist in identifying and isolating unsupported systems.  The cost to implement some of these more advanced security measures may easily far exceed that of migrating off Windows XP.  So there is that to keep in mind.  The longer a company waits to do this, the higher that cost will be.

This is not a new announcement, Microsoft has been trying to end support for XP over the last 5 years.  It was the big enterprise customers that forced them to keep it alive.  Their main reason was that much of their legacy software was not supported on Windows 7 and/or the cost to migrate was to high.  As we like to say in consulting, "Pay me now or Pay more later."  We make recommendations not to fill our pockets, but to ensure that your environment operates at an optimal level to support your business.  If for some reason you did not take our advice at the time it was given, then there is a good chance you will need us to perform an emergency rush implementation of that earlier recommendation.  The increase in cost comes usually with premium rates being used, increased shipping costs for rush hardware, as well as possible additional product support from the vendors.  

So you have 82 days left to either finish your Windows 7/8 migrations and test all your software.  Or use that time to try and isolate those systems until they can be replaced at a later date.  Either way you have some work ahead of you so I suggest you get started.

UPDATE: On Wednesday (1/15/13) Microsoft announced they will extend support for their Anti-Virus products until July 2015.  Now keep this in mind, that does not mean that XP is safe, this is will just plug just one hole in an already swiss cheesed dam.  It is not a difficult thing to bypass anti-virus products on vulnerable systems.  If you are not able to migrate off XP this year then you may want to consider a couple additional options such as implementing an Application Whitelist solution such as Bit9's Security Platform and/or deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  Another revelation that was mentioned over the last couple days has been the fact that many ATMs are known to use Windows XP Embedded.  Now the banking regulations require that these devices are not on the internet, but that doesn't make them automatically safe.  There have been a number of stories where thieves were able to get physical access to the system in order to load malware or a secondary operating system via USB.  Again this required physical access to the ATM.  Other critical hardware that relies on XP Embedded include a number of medical devices and SCADA systems.