Every few years, Microsoft causes some panic across industry sectors by announcing the end-of-life of one of its older Windows operating systems.
In this case, Windows 7 is going “end of life” on Jan. 14, meaning Microsoft will no longer be regularly updating the system with fixes when a security vulnerability is found. The company is urging users – both consumer and enterprise – to update their systems to the latest operating system: Windows 10.
As the weeks tick down until the deadline, the question becomes: how big of a security threat is this? We’ve seen the real-world attacks that can come from unpatched vulnerabilities in an out-of-date operating system. There are also valid reasons an organization could choose to hedge its bets and not upgrade. Ultimately, it is a conversation about risk, and more specifically, how much risk is an organization willing to assume in the face of a potentially costly or complicated upgrade.
WannaCry is a perfect example of what kind of devastating effects an unpatched, out-of-date operating system can have. The attack leveraged the EternalBlue vulnerability as an entry point, then spread laterally across organizations. Microsoft had issued a patch, but organizations that hadn’t applied it or were running out-of-date operating systems, like Windows XP, were still vulnerable. WannaCry went on to infect companies of all sizes and industries around the world, causing millions of dollars in damages. In some cases, organizations did not even realize their operations still relied on Windows XP, until an affected machine seized somewhere, causing disruptions. Microsoft ultimately stepped in and issued an unusual emergency patch for the operating system.
There are still at least 0.1% of devices running Windows XP in the 10 million devices in the Forescout Device Cloud, an anonymous repository of real-time data on devices running in enterprises around the world. While that percentage may seem small, it still means at least 110,000 devices that could leave an organization vulnerable, multiplied by the fact that this data represents only a sampling of the industry as a whole. That is shocking because it comes after months of news stories about attacks like WannaCry and others that leverage known vulnerabilities on older operating systems. In the last year, ForeScout has identified at least one device vulnerable to WannaCry in 80% of our new customers. And, as we have witnessed, it only takes one entry point for a bad actor to find their way into an organization.
On the other hand, there are multiple factors that would lead an organization to pass on an upgrade, even if the operating system poses a security risk. For instance, the device may be running critical software that won’t work appropriately on a more recent version of Windows. If that software is critical to business functions, then you have to weigh the security risk a legacy operating system might pose. In addition, updating those systems may also void the device’s or software’s warranty.
This is especially prevalent in specialized industries like healthcare, where devices may be running modified versions of an operating system. That sector currently runs by far the largest percentage of devices running Windows 7 of any industry, according to the Forescout Device Cloud, with more than 10% of devices in healthcare organizations running the system. The next highest percentages come in government, financial, and entertainment.
Organizations also need to consider the potential downtime involved in an update. As much as we would like these systems to update instantaneously, realistically it can take hours or even months per device. That might be an annoyance for some, but if it’s a critical device at a utility company or a lifesaving machine at a hospital, that downtime could prove problematic or even catastrophic.
As the pace of hardware and software refresh rates increases across PC, mobile and other platforms, security becomes even more of a “change management” exercise – determining which updates to deploy where and why. For CISOs, or even just a consumer that is still running Windows 7 at home, this is really a conversation about risk. They will need to weigh the cybersecurity benefits of an up-to-date operating system with the challenges posed by upgrading existing systems. If they accept the risk of the unsupported operating system, then they should also consider tools to help them mitigate or balance that risk.
It is important to note, as well, that the end of life of an operating system, even one as widely used as Windows 7, doesn’t instantly mean unpatched devices will result in a data breach. But without ongoing security updates the number of unpatched vulnerabilities will continue to grow, making any outdated device a greater and greater risk to an organization over time. Having those vulnerabilities doesn’t ensure an organization will be attacked, but it certainly does make it more possible.
Ellen Sundra is the VP of Systems Engineering at Forescout Technologies.