Tech Refresh as Part of an Effective Vulnerability Management Program: Part One

The topic I’m going to focus on today is tech refresh as vulnerability management, which is one of the most critical tasks for a cyber security professional. It comes in at #3 on the Center for Internet Security’s (CIS) Top 20 control listing. While this is listed as a basic control, the processes required to put an effective vulnerability management program into place are anything but basic. One part of vulnerability management that’s often overlooked that often comes up in recent risk and vulnerability assessments I’ve led is unsupported operating systems.

The saying “if it isn’t broke, don’t fix it” doesn’t apply to outdated operating systems. While these systems may run fine and support your operations without a hiccup, running outdated operating systems, or releases the vendor doesn’t support anymore, is introducing risk into your enterprise.

The Critical Issue

The critical issue here is that security testing and patches aren’t being conducted or developed by the vendor, so any vulnerability that is found after the operating system passes its end-of-life date will stay unpatched. Additionally, other hardware and software developers often won’t test their products for compatibility or driver support with the discontinued operating systems. While not an issue initially, the lack of support may start to cause issues with usability as the system ages.

Other Things to Consider

Another issue with outdated operating systems is the hardware they’re running on. In almost every case I’ve come across, an outdated operating system is running on the hardware it came with. I’ve even seen Windows Server NT 4.0 (yes, in 2018). For older servers, this can lead to operational issues with reliability as older systems with limited processor and memory capabilities struggle to support the load or connections that modern systems can. While this is not a specific cyber security concern, maintaining operations is a requirement for any company and having inadequate systems is a risk that businesses should not accept.

The major software vendors understand they must support older systems, but they can’t support their systems indefinitely. Most major operating systems developers have a consistent development and support cycle that allows predictability for their customers. I’ve consolidated a listing of major software companies and added details about their support cycle, a link to their website or other supporting websites that provide relevant information, as well as tables that show operating systems and their end-of-support dates. The end-of-support date listed corresponds to when the developer no longer issues security patches for their product.

One other issue to consider with end-of-life dates for operating systems is that vendors will often offer reduced-price or free systems to budget-constrained organizations. While some of these offers may be genuine, many times the systems are six to eighteen months from their end of life date. In order to keep using the platforms, the organization must purchase a costly upgrade or undergo a complete architecture overhaul in order to remedy the problem. Any time you’re making a large architecture change, make sure to look at the complete picture. As part of any architecture review or change management board (a critical part of an effective governance program), this should be included as one of the criteria when evaluating any system.

The vendor operating system support data provided below is primarily taken from the vendor sites, FAQs or other provider information where possible to provide authoritative information on support. Some vendors don’t provide a set date for end-of-life. In those cases, the security patch releases were analyzed, as well as other press releases where possible to deduce what the support looks like. While this information will become outdated relatively quickly, the links to the vendor information will remain a valuable resource, as well as having a single site that links this information as a resource for the security professional.

To see what the trends are for the industry, the StatCounter GlobalStats project collects information on visitors to over two million websites monthly. Specifically, they gather and aggregate information about the systems visiting. I think they provide an interesting insight into the systems used by people visiting websites.

Desktops and Laptop Operating Systems

The primary productivity systems that users touch are their desktop and laptop systems. Microsoft dominates this space, with around 60 percent market share in the US and Apple’s macOS comes in at just under 20%, according the StatCounter GlobalStats. We’ve also included Linux distributions in this study but are only including the most popular variants.

For the purposes of this post I have put laptops in with the desktop systems. While they could be included in the mobile category, laptops are typically refreshed on a similar cycle to desktops, so this is where they logically fit. It should be noted that laptops are notorious for not being updated regularly, especially for laptops that are issued to employees who rarely use them or do not regularly connect them to the Internet or the corporate network to get the necessary patches. Care should be taken to develop an enforceable policy to realistic procedures so that this risk is minimized.

Windows Life Cycle Support

As the dominant operating system, making sure your Microsoft systems are refreshed is critical. The Microsoft operating system development cycle releases operating system updates every 3-4 years. Microsoft’s policy is to support operating systems for 10 years. After that, security patches are no longer provided. The primary Windows version seen in the US is Windows 10, with Windows 7 coming in at just under 30%. It should be noted that Windows XP still accounts for a little over 1% of the total windows operating systems, despite reaching end-of-life in 2013.

Windows Life Cycle Fact Sheet

Operating System

Release Date

End-of Life Date

Windows ME

September, 2000

July 11, 2006

Windows XP

October 2001

April 8, 2014*

Windows Vista

November 2006

April 13, 2010

Windows 7

October 2009

January 14, 2020

Windows 8 / 8.1

October 2012

January 10, 2023

Windows 10

July 2015

At least until October 2026

*Microsoft provided an exception to this when they released a patch specifically for EternalBlue on May 13, 2017 that covered the unsupported Windows XP and Windows Server 2003.

macOS Life Cycle Support Updates

Apple is different from other operating system developers because it doesn’t publish a software lifecycle support timeline. The new release cycle for the macOS appears to be set annually with the announcement of the OS at the Apple Worldwide Developers Conference (WWDC) and the software release happen ing in September. If this pattern holds, it looks like Apple uses a three-year support cycle for the macOS, with the last security update being released at the 34-month point. MacOS makes up around 20% of desktop operating systems with 22% of those systems observed being past end of life as of November 2018, according the GlobalStats.

See the table below for macOS versions and release dates and the last security update released by Apple for the respective OS version.

Operating System

Release Date

Last Security Update Date

Version 10.5: OS X Leopard

October 26, 2007

May 14, 2012

Version 10.6: OS X Snow Leopard

August 28, 2009

September 12, 2013

Version 10.7: OS X Lion

July 20, 2011

September 17, 2014

Version 10.8: OS X Mountain Lion

July 25, 2012

August 13, 2015

Version 10.9: OS X Mavericks

October 22, 2013

July 18, 2016

Version 10.10:  OS X Yosemite

October 16, 2014

July 19, 2017

Version 10.11: OS X El Capitan

September 30, 2015

July 9, 2018

Version 10.12: macOS Sierra

September 20, 2016

January 22, 2019*

Version 10.13: macOS High Sierra

September 25, 2017

January 22, 2019*

Version 10.14: macOS Mohave

September 24, 2018

January 22, 2019*

*Most recently published security update

Apple security updates are available here for a consolidated view of available patches and the most current software available for each of its supported platforms. Apple also publishes a “Vintage and Obsolete Products” listing here, specific to the hardware platforms, and keeps the site updated with current information.

ChromeOS Lifecycle Support

ChromeOS is like the Android operating system because it’s based on a Linux kernel, however the development teams and development cycle are independent. ChromeBooks are sold via multiple hardware companies, and Google provides automated updates and support for the operating system automatically until it reaches Auto Update Expiration (AUE). Google’s policy is to support ChromeOS for at least five years, with expected support being six and a half years from the initial hardware launch. The linked page also includes the current supported devices by vendor and product with the AUE date listed. This list is long (30 vendors) and will not be reproduced here. It’s important to note that when you buy or receive ChromeBooks, especially from a reseller, that you as the security professional determine what the serviceable life of these devices are. Then you won’t have to buy a one-year solution that will require more investment later. This especially important for the public sector, specifically for school systems.

The ChromeOS release notes provide information on changes to the features and policies for the various supported ChromeOS releases.

Linux Desktops

Linux distributions aren’t a very common desktop operating system, making up just over one percent, according to GlobalStats in November 2018. The distributions discussed here were based on surveys and popularity for desktop versions. The two we are going to look at here are Ubuntu and Mint, although there are other distributions used. I included links to some other distributions at the end of the section, but they won’t be discussed.

Ubuntu Life Cycle Support

Ubuntu is the most popular distribution of Linux, providing an operating system for desktops and servers. Ubuntu numbers are released based on the year and month of delivery, so 18.10 is the version that was released in October 2018, which is their most recent release. Ubuntu has a full version and interim release cycle, designating the full version release as its “Long Term Support (LTS)” version. Their LTS version is guaranteed to have at least five years of support, including maintenance and security updates. Minor releases have nine months of guaranteed support.

Operating System

Support End Date

Ubuntu 10.04 LTS

April 2015

Ubuntu 12.04 LTS

April 2020 (support extended)

Ubuntu 14.04 LTS

April 2019

Ubuntu 16.04 LTS

April 2021

Ubuntu 17.10

August 2018

Ubuntu 18.04 LTS

April 2023

Ubuntu 18.10

August 2019

Mint Life Cycle Support

Mint is based on Ubuntu and Debian and designed to be more user friendly for installation. Like Ubuntu, Mint provide LTS versions supported for a minimum of five years.

This site provides a link to all the current versions and their support dates, also listed below.

Operating System

Support End Date

Mint 3

August 2023 (estimated)

Mint 17.x

April 2019

Mint 18.x

April 2021

Mint 19.x

April 2023

Summary

Remember that security testing and patches aren’t being conducted or developed by the vendor, so any vulnerability that is found after the operating system passes its end-of-life date will stay unpatched. Also, don’t forget that old hardware can cause issues. And when making a large change to your system architecture, remember to look at the whole picture.

Does your organization need a vulnerability assessment? Check out our services page here or contact us here.

Part Two of this blog post will cover Android and iOS operating systems. Coming soon!

Share this Post



*** This is a Security Bloggers Network syndicated blog from Blog – Delta Risk authored by Keith Melancon. Read the original post at: https://deltarisk.com/blog/tech-refresh-as-part-of-an-effective-vulnerability-management-program-part-one/