More than a decade after launching Windows 7, Microsoft finally ended support for its best-selling desktop operating system on 14 January, writes Bernard Parsons. As with all other end-of-life products, we should remind ourselves that the risks of using obsolete software like this are significant and, according to the National Cyber Security Centre (NCSC), result from two compounding factors: the absence of security updates increases the likelihood that exploitable vulnerabilities will become known by attackers and, as the latest security controls and protections are absent in older software, the impact of vulnerabilities is increased, in turn making exploits more likely and detection more difficult.
Right now, the rapid pace of change in technology makes even one year ago feel like a different country, ten years ago almost like a different planet. Likewise, most of us would presume that, due to the simple solution of upgrading to a new platform, the risk for most companies is relatively low, but with so many businesses delaying this process, the opportunities for hackers are blatant.
I say that because, after all this time, an incredible number of organisations are still using Windows 7 and have not moved on to newer versions. For example, security rating’s company BitSight’s Data Science team has analysed approximately 60,000 international organisations and found that, in the past two months, almost 70% of those companies were still using Windows 7 in some capacity. Research by Kollective found that 43% of large enterprises were still using Windows 7 in January last year, although this figure dropped to 18% by July.
That said, continuing usage rates are thought to be far higher among smaller organisations.
Why persist with a software platform even as it passes into obsolescence? For some, it’s about sweating assets and continuing to run older versions because the business case for investing in newer capabilities is insufficiently compelling. For others, it’s necessary for practical purposes, such as running production applications that are not compatible with newer Windows releases.
No room for complacency
Of course, there will be some organisations that don’t have a sufficiently accurate grasp of their IT estate to confidently say whether they’re running Windows 7 or any other obsolete systems. Before you scoff too loudly at this lack of visibility, consider whether your own house is in order to the extent that you think it is. Does your oversight include the systems and devices used by any trusted third parties such as suppliers that manage services within (or that connect to) your enterprise IT environment?
In any case, the security implications are dire. It only takes a single endpoint with an unpatched vulnerability to potentially compromise an entire organisation. We know that cyber criminals will actively pursue them. Once new vulnerabilities in obsolete software are discovered, they can be exploited by relatively low-skilled attackers.
Timely response to security critical events therefore becomes increasingly important if obsolete software is present to reduce any compromise spreading. This can place significant demands on already overstretched security teams.
Obsolete systems are also something of a ‘blind spot’ for the threat researchers that keep anti-virus solutions up-to-date with the latest signatures. They’re far more likely to concentrate the bulk of their efforts on attacks that target modern, mass market platforms rather than museum pieces.
Convert obsolete client systems
For good reason, the NCSC recommends that obsolete systems are treated as ‘untrusted’, as should processed data and files sourced from the Internet (even if they’re originating from a known third party).
One of the specific mitigations recommended by the NCSC is to convert obsolete machines to thin client devices and use them only as an access mechanism to trusted internal services. Web browsing and business productivity applications can be performed via web applications or a Virtual Desktop Infrastructure environment running a patched modern browser.
The approach applies equally to third party organisations where their own devices are used within or to connect to your environment.
Bernard Parsons is CEO at Becrypt