By Myles Bray, VP of EMEA, Forescout Technologies:
A call to action has been made for IT teams across the globe as Microsoft announced the end-of-life for Windows 7. As a result, many businesses will be asking themselves how worried they should be about this. But what action businesses should take and how can they learn from past mistakes?
To set the scene, Windows end-of-life means that Microsoft will no longer support or regularly update the system with fixes even if a security vulnerability is found. This renders devices still operating on Windows 7 susceptible to attacks. The company has heavily recommended that everyone should update their devices to Windows 10 which will remain secure and have provided free updates for all devices.
Learning from the past
We only have to look back at recent history to see the devastating effect an unpatched or out-of-date operating system can have. In 2017, the NHS and many other organisations were hit by a lethal ransomware attack, WannaCry, which completely halted the operations of hospitals and GP surgeries across the UK. If replicated again in other critical infrastructure sectors it could be catastrophic, causing widespread downtime and even potential risk to life.
The bad actors involved in Wannacry leveraged a vulnerability called EternalBlue and once breached, they laterally moved through the organization’s network to completely disable multiple devices. This was caused by companies operating on unpatched systems like Windows XP. The ransomware took the world by storm and infected multiple businesses of all sizes and across several industries over the globe. This level of attack caused millions of dollars in damages and showed organisations that the knowledge of their own IT was extremely poor as many did not know even know they still ran off Windows XP. Due to the widespread and virility of the attack, Microsoft did step in to supply an emergency patch.
According to government figures, of the 1.37 million PCs and laptops used in the NHS, at least 463,784 are still running Windows 7 with extended support by Microsoft. In fact, healthcare has the largest percentage of devices running off of Windows 7. To most this must seem to be extremely negligent behaviour however there are circumstances where businesses believe it is worth the risk of moving systems outweighs that of an attack. For instance, there might be a particular type of critical software which the entire organisation functions on but it won’t function correctly on the latest version of Windows. Updating those systems could also breach the devices or software’s warranty.
Industries under threat
Specialist industries, like healthcare, will struggle to update their systems as there are devices which will be running a modified version of the operating systems. It has been tracked that 10 per cent of devices in the healthcare industry run on Windows 7. With the end of Windows 7 there is a call to action before another destructive attack hits.
When an organisation undergoes the update, teams want it to be instant. However, the harsh reality is that it can take hours and even months per device. This amount of downtime for updates for most organisations is simply an annoyance but can cause huge issues for life-saving medical devices and manufacturing system controllers such as valves and pumps. This could cause companies to evaluate whether it is worth updating their devices at all and would explain why so many devices in the healthcare industry during the WannaCry attack were operating on Windows XP.
Evaluating risk
The number of updates needed to keep critical systems secure is increasing, with Windows releasing a major update nearly every six months, and the variety of devices adds another level of complication as all of them have to be updated including PC, mobile, mac and multiple other devices. These regular updates turn security into a change management exercise rather than best practice of security. An organisation has to make the decision on whether they should deploy the update and why.
A security team now needs to evaluate the likelihood of an attack and take managed risks. The cost, money and time, of having an up to date system can outweigh the benefits of security especially as there are huge challenges posed by upgrading systems. If an organisation chooses to take the risk of not updating, there is a demand for having a holistic view of all the devices coming into contact with the network.
A cybersecurity solution which provides network visibility and control can be a lifeline to businesses who opt to not update its systems. Being able to track every device to give a true picture of how many devices are still operating on unpatched systems, giving security teams the option to monitor more closely. These types of solutions also can provide enhanced network isolation which can shut down an infected device stopping the bad actors being able to move laterally through the network.
Looking to an unpatched future
When reflecting on the devastating fallout from the WannaCry attack from an unpatched system, businesses might feel that they must update. However, having unpatched devices does not mean that they will be breached. The pitfalls which organisations do fall down on is having unpatched devices combined with not having the correct security systems in place to manage the unpatched devices.
Not updating systems will result in a steady increase of unpatched devices making their way on to the network. While this risk will not set a cyber attack in stone, it will certainly increase the likelihood of one.
Click below to share this article
