Security patches and updates leave companies at risk when they’re running systems designated as end of life (EOL), such as .Net systems, Windows Server 2003, and Windows XP. When Microsoft releases an update or patch after the operating system (OS) is no longer supported, cybercriminals and malicious software develops dissect the update and reverse engineer the fix to find the security hole that was patched.
Cybercriminals are aware of operating systems that are no longer patched and/or updated, then they focus in on vulnerable targets to exploit. Once exploited, customers can experience data breaches, system crashes, website outages, or even malware attacks.
One such outbreak occurred in May 2017 when hundreds of thousands of companies fell victim to WannaCry. The ransomware swept through organizations like a worm, self-propagating across computer systems that had failed to patch a two-month-old SMB Windows vulnerability known as “EternalBlue.”
Without access to the latest Microsoft security bulletins, some systems running Windows XP successfully installed and spread WannaCry. Most simply crashed. Even so, the Redmond-based tech giant perceived enough of a threat to release an emergency security update for Windows XP… more than three years after declaring the operating system EOL.
Given the threats of malware attacks like WannaCry, organizations must carefully consider whether to extend the life of an EOL system.
Organizations need to ask themselves three questions:
- How do I keep this system in its current working state?
- Despite the lack of updates, can I harden the system to reduce my attack surface?
- How do I know when something has changed on my system?
These questions don’t operate in a vacuum, either.
Enterprises need to come up with the budget to make special accommodations for EOL systems. It will also be imperative to find the time to train employees on technologies that can (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Christopher Beier. Read the original post at: The State of Security