Coalfire Systems’ IT infrastructure security consultant Andrew Barratt has stated that legacy Windows XP systems that are not connected to the internet – such as ATMs and other customer kiosks – are just as dangerous to IT users as networked systems.
Barratt’s comments came in reaction to Computing’s interview with KPMG executive CIO advisor Mark Carter, in which he suggested that such “unintelligent systems” caused little risk, the main problem being “people accessing the internet” on connected systems.
“The ‘It doesn’t face the internet’ argument is a flawed one for businesses concerned about criminal activity.
If there is a way out, there can be a way in,” Barratt told Computing.
Barratt claims that “a quick search” using computing device search engine Shodan “shows close to 4,000 devices with an XP signature”, many of which are only “thought to be ‘not connected to the internet’ or ‘not internet facing'”.
“Other types of attack are also attacking the OS; USB ATM attacks are now starting to be circulated as viable, Stuxnet was deployed via USB albeit with significant insider effort,” he continued.
According to Barratt, insider threats have the potential to cause significantly more harm and “even physical damage”, when “the soft inner layer” has no more vendor support for security patches, for instance in the case of Windows XP, support for which Microsoft abandons in April 2014.
“Attacks focusing on the browsers, user error or other applications that can connect out to the internet will be the preferred vector,” he said.