How to Keep Security on Life Support After Software End-of-Life
It's the end of support this week for Windows 7 and Server 2008. But what if you truly can't migrate off software, even after security updates stop coming?
Support for Windows 7 and Server 2008 will officially end after today. That means shops running anything on these OSes will no longer receive routine security updates and patches going forward. That's significant, because the 10-year-old Win7 operating system is still in style; according to Statcounter, Windows 7 is still deployed on one out of every four Windows machines.
Without the appropriate security support going forward, threat actors will be keeping an eye out for targets running older OSes like this. (Over 1,000 vulnerabilities were found in Win 7 last year alone.) Businesses face a very real security risk by using products after support runs out.
But some organizations simply cannot migrate away from unsupported software immediately – and may find they are using unsupported software for many months, years, or even decades to come.
For example, budget constraints may hold back SMBs' migration plans. According to Kaspersky research, 40% of very small businesses and 48% of small and midsize businesses still rely on unsupported or approaching-end-of-support operating systems for their security needs.
It is even more common in industrial control system environments to find older or outdated software.
That's because migration is not as simple as merely upgrading an operating system or buying a new laptop, notes Jason Christopher, principal cyber-risk adviser at Dragos. Industrial systems are designed for reliability and physical safety — and it takes a considerable amount of time and engineering to upgrade the equipment.
"While traditional IT environments occasionally manage unsupported technology with outdated software, the problem is exponentially more difficult in industrial control systems, as is the potential impact. These devices not only ensure reliability for things like water, power, and manufacturing, but they are also in the field for decades, not years,” says Christopher. "Securing these systems, where 24x7 operations is necessary and safety is paramount, becomes more difficult as technology reaches end of life and is no longer supported. This means if a new vulnerability is discovered, you may need to take extra precautions to protect critical systems — without vendor support, in many cases."
If your business counts among the unlucky that are trapped using an end-of-life or end-of-support OS, what can you do in the meantime to protect your environment?
Buy Extended Support
This is probably the least attractive option for companies that are already resource-pinched, but it's certainly the most secure. Enterprise customers have the option to pay Microsoft for extended support through January 2023. However, it's far from cheap.
"Keep in mind that Microsoft usually offers extended support for EOL products beyond the stated public 'free" support," says Roger A. Grimes, data-driven defense evangelist with KnowBe4. "But it's usually very expensive. Like 'don't call unless you are ready to spend $1 million' expensive."
And the price goes up for every year you pay for the support.
"These updates will need to be paid for and will increase in price each year, leading to some hefty bills for businesses that fail to migrate. In fact, when Microsoft ended support for Windows XP, the cost of extended support for an organization with 10,000-plus machines leveled out at just under $2,000,000 a year!" adds Jon O'Connor, solutions architect at Kollective.
Isolate It From the Network
If you can't afford extended support, the next best option, experts say, is to isolate any outdated systems from the rest of your network.
"If it can work as a standalone machine not attached to the network, do that," Grimes says. "If it must be on [an internal network], don't let the [public] Internet reach it. ... If it must be on the internal network, lock down what other devices and ports can be used to reach it. Create a separate VLAN, use a firewall, whatever you can do to isolate it the best, do."
"If your organization is operating with old, decommissioned, and nonsupported operating systems or software that can no longer be patched, you have to isolate those systems on a separate network and control all inbound and outbound traffic via firewall rules to limit the surface layer of attack," adds George Gerchow, chief security officer with Sumo Logic.
Limit User Access
Is it possible to give access to an outdated system to just a handful of users who really need it? That's the next course of action.
"Do a complete audit of your users and determine who still needs access to that software," says Richard Henderson, head of global threat intel at Lastline. "Perhaps you go so far as to have each user provide justification for continuing to have it. Uninstall the software from those devices that no longer have a need for the software. If use of the product can be limited to a small subset of users, I would seriously consider providing those users with two computers — one that only has the out-of-date tools, which are segmented off the network from the rest of the infrastructure, and a newer machine that they will use for the rest of their day-to-day tasks."
Watch for 'Out-of-Band' Fixes
Despite being outdated, some vendors may still issue critical fixes, says Dragos' Christopher. So stay on top of vendor news in case you may be in need of an unexpected, after-EOL patch.
"When Windows XP hit end of life in 2014, people thought, 'Well, that's it. It's over.' Yet Microsoft has released two critical patches since then for XP," he says. "While patching is more difficult in industrial control systems, an update like that should make organizations reexamine their security controls for older systems."