Coalfire Systems' IT infrastructure security consultant Andrew Barratt has stated that legacy Windows XP systems that are not connected to the internet – such as ATMs and other customer kiosks – are just as dangerous to IT users as networked systems.
Barratt's comments came in reaction to Computing's interview with KPMG executive CIO advisor Mark Carter, in which he suggested that such "unintelligent systems" caused little risk, the main problem being "people accessing the internet" on connected systems.
"The ‘It doesn't face the internet' argument is a flawed one for businesses concerned about criminal activity. If there is a way out, there can be a way in," Barratt told Computing.
Barratt claims that "a quick search" using computing device search engine Shodan "shows close to 4,000 devices with an XP signature", many of which are only "thought to be ‘not connected to the internet' or ‘not internet facing'".
"Other types of attack are also attacking the OS; USB ATM attacks are now starting to be circulated as viable, Stuxnet was deployed via USB albeit with significant insider effort," he continued.
According to Barratt, insider threats have the potential to cause significantly more harm and "even physical damage", when "the soft inner layer" has no more vendor support for security patches, for instance in the case of Windows XP, support for which Microsoft abandons in April 2014.
"Attacks focusing on the browsers, user error or other applications that can connect out to the internet will be the preferred vector," he said.
Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy