I’ve heard enough scoffing over the past few days over the Navy re-upping its contract for paid support for Windows XP to last a lifetime.
But it’s not just a Navy problem, and it’s not necessarily as bad of a problem as it sounds. Necessarily.
Unlike many organizations–ahem–the Navy arguably has a good reason. Ships get refurbished every 20 years, and that includes the computer systems. Not only are there ships roaming around with XP and 2003 on them, but there are ships with Windows 2000 and even NT4 out there. That’s just always part of the plan, and the Navy has paid support for all of them.
It’s a pain to load all of the patches into SCCM instead of getting them automatically like you do for mainstream supported operating systems, but unlike organizations that are just dragging their feet, the Navy has factored all of that into their lifecycle planning.
The key is to have lifecycle planning. Sometimes organizations have to take their focus off the current quarterly results to plan for the lifecycle of their computer systems, and some organizations are better at that than others. A lot of people forget that even Windows 7 is now six years old and more than halfway through its life expectancy, and some organizations are struggling to migrate to it.
As long as XP is getting some patches, it’s not necessarily the end of the world. XP isn’t as solid from a security standpoint as the newer versions, but it’s not the operating system itself that gets the attacks these days. The attacks come through Flash applets and e-mail attachments, so as long as you’re keeping your browsers, office suite, PDF viewers, Java runtime, and browser plugins up to date, you’re in reasonably good shape. Attacks against the operating system itself tend to happen after the initial attack against a particular application, in case all they got was a foothold and need to attack the operating system to get something else.
That’s why I don’t get so worked up over XP. Although I am a little irritated at the questions about the value proposition of Windows 10. The value is that Windows 10 is going to have about a decade’s worth of support on it, and while the transition to any new version tends to have some hiccups, an enterprise can save millions of dollars by starting early. That way, if there are hiccups, there’s time to correct. If you start migrating Windows versions a year or two before end of life, it only takes one or two things going wrong to end up in the same boat as the Navy–except the Navy planned for it, and you didn’t.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.