The Dangers of End-of-Support Operating Systems

by Sarah Harvey / February 21st, 2019

Computer hardware and software is not built to last forever. End-of-support operating systems are one of the most common vulnerabilities discovered on enterprise networks. Why? Typically, it’s for one of two reasons. First, the organization could just lack a refresh of technology.

But, end-of-support vulnerabilities could also occur because organizations need legacy software that will only function on an older operating system. Here’s some end of support guidance for common operating systems.

Do You Have End-of-Support Operating Systems?

What’s classified as an “end-of-support” or “end-of-life” operating system? End-of-support means that the developer of the operating system will no longer provide technical support, and more importantly, will no longer provide updates to the operating system. No more automatic updates, no patches, no help line to call – serious security issues begin to occur because of this.

Take end of support for Windows 7, for example. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running Windows 7. They’ve given their users plenty of time and warning of this change, but still, some will stay on the end of support operating system. Microsoft does their due diligence by explicitly telling their users, “You can continue to use Windows 7, but once support ends, your PC will become more vulnerable to security risks. Windows will operate but you will stop receiving security and feature updates,” and encouraging them to transition to Windows 10.

During the infamous WannaCry attack, which spread to 150 countries in May 2017, the National Health Service was victimized because of outdated operating systems. BBC reported that before the attack, there was no formal mechanism for assessing whether NHS organizations complied with security guidance from NHS Digital. Critical alerts from NHS Digital and other warnings about the vulnerability of end of support operating systems were ignored.

Amyas Morse, Comptroller and Auditor-General of the National Audit Office, said:

“WannaCry was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practices. There are more sophisticated cyber-threats out there than WannaCry, so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

End-of-Support Vulnerabilities in Action

So what happens when organizations use end-of-support or end-of-life operating systems? Hackers know how to exploit these vulnerabilities, and also know how hard it is to keep an end-of-support operating system secure. End-of-support software brings issues like these to your organization:

  • More Security Vulnerabilities – By using end-of-support software and hardware, you’re putting your organization at a higher risk for exploitation by malicious hackers.
  • Technology Incompatibility – Holding onto end-of-support technology forces you to hold onto legacy software. The newest, more secure applications and software aren’t optimized for end-of-support or end-of-life.
  • Higher Cost – If you’re holding out on switching to a new operating system or away from legacy software because of operating costs, you’ve got the wrong mindset.
  • Poor Performance and Availability – Is critical application downtime worth the cost of a software or hardware upgrade?
  • Non-Compliance Issues – Using end-of-support or end-of-life products could endanger the data you are responsible for. How will an auditor or regulator view that lack of effort?

When using an end-of-support operating system, the end user doesn’t have many options to mitigate the threat to their network other than upgrading the operating system. We recommend keeping operating systems up-to-date by performing regular inventory and planning ahead for technology refreshes, so that legacy software migration or other unforeseen issues don’t pose a problem. It’s also helpful to check with vendors and keep up with any news about upcoming changes to the support status of their operating systems.

Want more information on how to secure your network? Contact us today.

More Assurance Resources

What is Cybersecurity?

Compliance is Never Enough: Secure Software Development

4 Ways to Ensure Security and Maintain Compliance