Tarik Saleh, Senior Security engineer and malware researcher at DomainTools, explains what organisations should do to protect their Windows 7 environment, should they not be able to perform the upgrade before the deadline of January 2020.
Upgrading the operating systems of an entire IT environment is indeed a demanding process which requires planning and preparation. It is, however, something which should be part of any successful cybersecurity strategy, as failing to upgrade can expose the entire network to exploits that would have otherwise been avoidable.
The WannaCry attack in 2017 is a notable example of how things can go wrong when an operating system isn’t updated regularly. Affecting over 200,000 computers across 150 countries, the damage it caused proved so significant that the total cost to organisations and public institutions is still difficult to quantify and remains a highly contentious topic.
The machines that were infected by WannaCry were those that either had not applied a patch to an exploit that Windows had released previously, or those running an end-of-life Windows operating system, for which a patch was not available.
To avoid history repeating itself, the security community is currently focusing on the challenges that will stem from the Windows 7 operating system reaching its ‘end of extended support’ in early 2020, which will leave organisations that haven’t upgraded their systems without free support. Windows 7, despite having reached its 10th birthday this year, is still incredibly popular: a Netmarket share report found that 39% of PCs are still running on it.
This problem may seem like a no-brainer: organisations should simply make sure they upgrade all their operating systems before they become obsolete. After all, why would they continue to run an out-of-date operating system, no longer supported by the very company who make it?
Things aren’t that simple, however. Sometimes business-critical legacy applications and hardware can’t be upgraded or replaced and still need to run on outdated operating systems. Organisations faced with this issue should certainly purchase Microsoft extended support for Windows 7, which will remain available until January 2023, allowing them some breathing room to plan an upgrade strategy.
Even so, continuing to run a Windows 7 environment will inevitably expose businesses to a higher risk of compromise and will require certain security measures to be put in place in order to protect digital assets from cyberattacks.
Organisations that cannot run Windows 10 upgrades should certainly invest in a Machine Learning-powered antivirus tool. With an ever-evolving threat landscape, an effective antivirus can no longer limit its detection capabilities to threats whose signatures have already been observed. Machine Learning-based antivirus tools establish what normal behaviour looks like and are able to flag any activity that is deemed suspicious, such as Microsoft Word using a lot of memory.
Network segmentation can add a further layer of protection: organisations should isolate Windows 7 machines from the rest of their network because of the significant risk they introduce. Should a compromise or infection occur, this would help you contain the threat more effectively. The higher risk workstations should be separated and placed under more stringent security controls.
Upgrading operating systems to Windows 10, however, remains an organisation’s best option to ensure they receive the appropriate security patches and support. Fortunately, according to Microsoft and its Desktop App Assure program, just 49 out of the 41,000 applications that can run natively on Windows 7 will have compatibility issues with the new operating system.
Given that the odds of applications being incompatible with Windows 10 are low, we can surmise that the number of organisations choosing to keep their Windows 7 environment will get smaller as we approach January 2020. Purchasing a new licence can be expensive and running upgrades is time consuming. The cost of falling victim of the next WannaCry, however, dramatically outweighs these obstacles.
Ultimately, it is in every organisation’s best interest to move to a newer, more secure operating system sooner rather than later. The more Windows 7 machines that remain, the more attackers will be incentivised to exploit their weakened security posture.