All good (or in some cases bad) things come to an end. In the ever-changing world of technology, this is even more true. As Microsoft (or any other vendor) works on pushing new technology out, they will often mark older operating systems and applications as “end-of-life.” Some organizations, particularly those with a small IT budget, who have written custom software that only works on an unsupported operating system will be tempted to keep an application or operating system in production even though it is no longer supported. This is a major security risk to your organization and will result in a critical finding during an audit or penetration test. Let’s discuss why.
Ticking Time Bomb
An application or operating system that is unsupported, or end-of-life, means that the vendor will stop providing patches for the system. So when a bug in the software or a security issue is found, there will be no resulting patch to fix the issue. Over time, these issues will compound, effectively leaving this system as a ticking time bomb on your network. In the very early stages of an attack, a hacker will try to enumerate the various software levels and operating systems on your network. They will then look for vulnerabilities associated with those versions they uncover. In the case of an unsupported operating system, it is typically only a matter of months until that system has an exploitable vulnerability, putting your network at risk. Even if that computer does not have any sensitive data on it (it may just be one in the marketing department, after all), that system can be used as a jumping point into the network, giving an attacker the critical point-of-entry that he needs. Once the attacker gains control of that system, they can steal credentials (such as the local administrator), use it to pivot to parts of the network they otherwise wouldn’t be able to access, or identify information to further attack the network, such as group policy preferences.
Additionally, when an operating system or application is no longer supported, that means that the vendor is less likely to look into and disclose vulnerabilities that are presented to them. This means that there are likely vulnerabilities on the system that are not being reported, unless an ethical hacker finds it and discloses it using the appropriate methods. Currently, on the dark-web these vulnerabilities are shared and sold for cheap, leaving your data and systems at risk.
Missing New Functionality
Additionally, the system or application will not benefit from new functionality. When a new operating system or application is released, it includes a whole bundle of new functionality that the previous operating system lacks. These can be useful functions that add to productivity or increase the effectiveness of the system, but they also usually include new security features. This can be something like adding support for multi-factor authentication. By choosing not to upgrade to a supported operating system, you are missing out on these features, some of which could be vital parts of your defense-in-depth strategy.
Finally, if you are using third-party software and applications on an unsupported operating system, it is likely that these third-party applications are no longer supported either. Most vendors only test and release updates for their software on subsets of operating systems, which will almost never include unsupported operating systems. This could mean that over time, those third party applications will stop running effectively, or at all. This could lead to an unplanned loss in productivity, increase in employee frustration trying to get the system to work, or even worse, more vulnerabilities.
What Should I Do?
This one might seem obvious, but you should upgrade to a supported operating system or application, if at all possible. Furthermore, you should make sure an IT refresh program is in place to replace outdated systems, operating systems, and applications. An IT refresh program can help you to forecast these changes, helping you budget more appropriately and allowing you to make the changes gradually, ensuring a smooth roll-out.
For those operating systems that cannot be replaced for whatever reason, you need to look at these as ticking time bombs. Assume that they will be compromised, and then assess what the damage will be when they are. There are steps you can take to reduce the severity, including:
- Segment these devices into their own VLAN with strong access controls. Controls should follow a white-list approach. This means locking down who can access this system by those who have a business justification, and denying all other access. This also means you should control what this unsupported device can access, and denying access to anything else.
- Use different passwords on these devices that aren’t shared with any other systems. Again, you have to assume they will be compromised eventually. If a device is compromised, the first thing an attacker will do is to dump passwords from memory. This includes both the local accounts on the system, and any domain users who has logged into the system if the system is vulnerable to something such as WDigest. Therefore, you should have separate accounts on this system than anywhere else. This will prevent an attacker form reusing those credentials elsewhere.
- Monitor these systems closely. You may want to consider adding a firewall with an intrusion detection/prevention system with very strict rules to this network segment. Additionally, priority should be given to any alert that comes from these systems, as it may indicate an attack that can be stopped quickly if you respond.