Tackling the Cyber Risks of Obsolete Software Platforms

Bernard Parsons

Bernard Parsons

More than a decade after launching Windows 7, Microsoft finally ended support for its best-selling desktop operating system on 14 January, writes Bernard Parsons. As with all other end-of-life products, we should remind ourselves that the risks of using obsolete software like this are significant and, according to the National Cyber Security Centre (NCSC), result from two compounding factors: the absence of security updates increases the likelihood that exploitable vulnerabilities will become known by attackers and, as the latest security controls and protections are absent in older software, the impact of vulnerabilities is increased, in turn making exploits more likely and detection more difficult.

Right now, the rapid pace of change in technology makes even one year ago feel like a different country, ten years ago almost like a different planet. Likewise, most of us would presume that, due to the simple solution of upgrading to a new platform, the risk for most companies is relatively low, but with so many businesses delaying this process, the opportunities for hackers are blatant.

I say that because, after all this time, an incredible number of organisations are still using Windows 7 and have not moved on to newer versions. For example, security rating’s company BitSight’s Data Science team has analysed approximately 60,000 international organisations and found that, in the past two months, almost 70% of those companies were still using Windows 7 in some capacity. Research by Kollective found that 43% of large enterprises were still using Windows 7 in January last year, although this figure dropped to 18% by July.

That said, continuing usage rates are thought to be far higher among smaller organisations.

Why persist with a software platform even as it passes into obsolescence? For some, it’s about sweating assets and continuing to run older versions because the business case for investing in newer capabilities is insufficiently compelling. For others, it’s necessary for practical purposes, such as running production applications that are not compatible with newer Windows releases.

No room for complacency

Of course, there will be some organisations that don’t have a sufficiently accurate grasp of their IT estate to confidently say whether they’re running Windows 7 or any other obsolete systems. Before you scoff too loudly at this lack of visibility, consider whether your own house is in order to the extent that you think it is. Does your oversight include the systems and devices used by any trusted third parties such as suppliers that manage services within (or that connect to) your enterprise IT environment?

In any case, the security implications are dire. It only takes a single endpoint with an unpatched vulnerability to potentially compromise an entire organisation. We know that cyber criminals will actively pursue them. Once new vulnerabilities in obsolete software are discovered, they can be exploited by relatively low-skilled attackers.

Timely response to security critical events therefore becomes increasingly important if obsolete software is present to reduce any compromise spreading. This can place significant demands on already overstretched security teams.

Obsolete systems are also something of a ‘blind spot’ for the threat researchers that keep anti-virus solutions up-to-date with the latest signatures. They’re far more likely to concentrate the bulk of their efforts on attacks that target modern, mass market platforms rather than museum pieces.

Convert obsolete client systems

For good reason, the NCSC recommends that obsolete systems are treated as ‘untrusted’, as should processed data and files sourced from the Internet (even if they’re originating from a known third party).

One of the specific mitigations recommended by the NCSC is to convert obsolete machines to thin client devices and use them only as an access mechanism to trusted internal services. Web browsing and business productivity applications can be performed via web applications or a Virtual Desktop Infrastructure environment running a patched modern browser.

The approach applies equally to third party organisations where their own devices are used within or to connect to your environment.

Bernard Parsons is CEO at Becrypt

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts