Microsoft is terminating support for Windows 7 on January 14th 2020. This should raise alarms for all of its current users: they will no longer be able to patch any new security flaws and vulnerabilities after that date. Or, at least, they won’t be able to without paying Microsoft a hefty fee to patch each new vulnerability which arises. If businesses decide to stick with Windows 7, they’re leaving themselves open to any number of potentially damaging attacks. If they haven’t already done so, they need to think about upgrading now. And, in cases where this isn’t possible, they need to have a solid plan in place to mitigate against any future threats.
There are doubts about how seriously the cessation of support is going to be taken by many organisations. There are thousands of machines still running on Windows XP, including 2,300 NHS computers and devices on 318 public sector networks, despite the fact that Microsoft pulled almost all support for the operating system five years ago.
If businesses fail to migrate, like they have in the past, is it really just a case of them burying their heads in the sand? Or are there deeper reasons underlying their decision to stick with an outdated OS? And, crucially, are those reasons strong enough to outweigh the obvious security challenges that lie in wait?
Costs and migration challenges are key barriers to change
Upgrade costs and migration challenges are often cited as key barriers to change. In some businesses, upgrading simply isn’t viable. They may either struggle to justify the cost of a company-wide rollout of a new OS, or they work with unpatchable operational technology (OT).
The cost of a mass-scale upgrade may be a bitter pill to swallow but will still be more palatable than the damage that could be caused by a major cyberattack. The threat of such an attack should be of particular concern at the moment: Microsoft recently revealed multiple wormable vulnerabilities within its products, the most famous being BlueKeep. These are critical vulnerabilities which are still waiting to be exploited. For old operating systems, there’s no guarantee of protection. While Microsoft’s BlueKeep patch could be used on an outdated OS, the tech giant did not release a patch for its more recent wormable vulnerabilities.
Microsoft’s approach to patching BlueKeep should be seen as the exception and not the rule. After January 2020, Windows 7 users will have extremely limited powers to protect against new threats like these which have the power to bring networks to their knees. This is a risk which no business can afford to take.
Things are trickier for firms with OT environments, primarily because these systems were built when cybersecurity was not a concern. Once an attacker has accessed an OT network, they can focus on unpatched machines which run Human-Machine Interfaces (HMI), the user interface management system that often runs on Windows machines. Attackers could also focus on Supervisory Control and Data Acquisition (SCADA) machines as most of these are also likely to be unpatched and may not be properly configured. In addition to the devices and machines’ innate complexities, attackers will often plant some defense evasive techniques in order to avoid detection. They want to guarantee that their operations will keep going for as long as possible – and so will security teams. Plus, OT technology often cannot be taken offline. Even when it can, it’s notoriously difficult to upgrade. In these instances, it’s not the lack of desire that’s impeding change but a series of frustrating practical challenges.
Good planning can help smooth the transition
There will be ways to offer some protection to unpatchable Windows 7 devices. As one example, network-based mitigation alternatives to patching could be used to remediate a small number of vulnerabilities, but because these techniques can’t be used for the majority of vulnerabilities they have limited value.
Businesses need to act now to create a realistic plan for change so that they can properly manage their financial outlay while providing effective protection over their networks and their assets. There are ways to ease the financial burden. One such is through leasing; this strategy allows companies to spread costs while ensuring that their infrastructure is updated.
With the end-of-life deadline looming, it’s important for affected organisations to decide on a migration strategy and to stick to it. The threat of another WannaCry-style attack is still looming; last year alone, 32 vulnerabilities affected Windows which were similar to those exploited by WannaCry. It’s inevitable that there are more around the corner. Having an up-to-date OS which can be patched is one of the fundamental protections that can be put in place to avoid the financial and reputational fallout associated with such a wide-scale attack. We’re just a few months out from the end of Windows 7: the time to act is now.
Sivan Nir, Threat Intelligence Team Leader, Skybox Security