The topic I’m going to focus on today is tech refresh as vulnerability management, which is one of the most critical tasks for a cyber security professional. It comes in at #3 on the Center for Internet Security’s (CIS) Top 20 control listing. While this is listed as a basic control, the processes required to put an effective vulnerability management program into place are anything but basic. One part of vulnerability management that’s often overlooked that often comes up in recent risk and vulnerability assessments I’ve led is unsupported operating systems.
The saying “if it isn’t broke, don’t fix it” doesn’t apply to outdated operating systems. While these systems may run fine and support your operations without a hiccup, running outdated operating systems, or releases the vendor doesn’t support anymore, is introducing risk into your enterprise.
The Critical Issue
The critical issue here is that security testing and patches aren’t being conducted or developed by the vendor, so any vulnerability that is found after the operating system passes its end-of-life date will stay unpatched. Additionally, other hardware and software developers often won’t test their products for compatibility or driver support with the discontinued operating systems. While not an issue initially, the lack of support may start to cause issues with usability as the system ages.
Other Things to Consider
Another issue with outdated operating systems is the hardware they’re running on. In almost every case I’ve come across, an outdated operating system is running on the hardware it came with. I’ve even seen Windows Server NT 4.0 (yes, in 2018). For older servers, this can lead to operational issues with reliability as older systems with limited processor and memory capabilities struggle to support the load or connections that modern systems can. While this is not a specific cyber security concern, maintaining operations is a requirement for any company and having inadequate systems is a risk that businesses should not accept.
The major software vendors understand they must support older systems, but they can’t support their systems indefinitely. Most major operating systems developers have a consistent development and support cycle that allows predictability for their customers. I’ve consolidated a listing of major software companies and added details about their support cycle, a link to their website or other supporting websites that provide relevant information, as well as tables that show operating systems and their end-of-support dates. The end-of-support date listed corresponds to when the developer no longer issues security patches for their product.
One other issue to consider with end-of-life dates for operating systems is that vendors will often offer reduced-price or free systems to budget-constrained organizations. While some of these offers may be genuine, many times the systems are six to eighteen months from their end of life date. In order to keep using the platforms, the organization must purchase a costly upgrade or undergo a complete architecture overhaul in order to remedy the problem. Any time you’re making a large architecture change, make sure to look at the complete picture. As part of any architecture review or change management board (a critical part of an effective governance program), this should be included as one of the criteria when evaluating any system.
The vendor operating system support data provided below is primarily taken from the vendor sites, FAQs or other provider information where possible to provide authoritative information on support. Some vendors don’t provide a set date for end-of-life. In those cases, the security patch releases were analyzed, as well as other press releases where possible to deduce what the support looks like. While this information will become outdated relatively quickly, the links to the vendor information will remain a valuable resource, as well as having a single site that links this information as a resource for the security professional.
To see what the trends are for the industry, the StatCounter GlobalStats project collects information on visitors to over two million websites monthly. Specifically, they gather and aggregate information about the systems visiting. I think they provide an interesting insight into the systems used by people visiting websites.
Desktops and Laptop Operating Systems
The primary productivity systems that users touch are their desktop and laptop systems. Microsoft dominates this space, with around 60 percent market share in the US and Apple’s macOS comes in at just under 20%, according the StatCounter GlobalStats. We’ve also included Linux distributions in this study but are only including the most popular variants.
For the purposes of this post I have put laptops in with the desktop systems. While they could be included in the mobile category, laptops are typically refreshed on a similar cycle to desktops, so this is where they logically fit. It should be noted that laptops are notorious for not being updated regularly, especially for laptops that are issued to employees who rarely use them or do not regularly connect them to the Internet or the corporate network to get the necessary patches. Care should be taken to develop an enforceable policy to realistic procedures so that this risk is minimized.
Windows Life Cycle Support
As the dominant operating system, making sure your Microsoft systems are refreshed is critical. The Microsoft operating system development cycle releases operating system updates every 3-4 years. Microsoft’s policy is to support operating systems for 10 years. After that, security patches are no longer provided. The primary Windows version seen in the US is Windows 10, with Windows 7 coming in at just under 30%. It should be noted that Windows XP still accounts for a little over 1% of the total windows operating systems, despite reaching end-of-life in 2013.
End-of Life Date
July 11, 2006
April 8, 2014*
April 13, 2010
January 14, 2020
Windows 8 / 8.1
January 10, 2023
At least until October 2026
macOS Life Cycle Support Updates
Apple is different from other operating system developers because it doesn’t publish a software lifecycle support timeline. The new release cycle for the macOS appears to be set annually with the announcement of the OS at the Apple Worldwide Developers Conference (WWDC) and the software release happen ing in September. If this pattern holds, it looks like Apple uses a three-year support cycle for the macOS, with the last security update being released at the 34-month point. MacOS makes up around 20% of desktop operating systems with 22% of those systems observed being past end of life as of November 2018, according the GlobalStats.
See the table below for macOS versions and release dates and the last security update released by Apple for the respective OS version.
Last Security Update Date
Version 10.5: OS X Leopard
October 26, 2007
May 14, 2012
Version 10.6: OS X Snow Leopard
August 28, 2009
September 12, 2013
Version 10.7: OS X Lion
July 20, 2011
September 17, 2014
Version 10.8: OS X Mountain Lion
July 25, 2012
August 13, 2015
Version 10.9: OS X Mavericks
October 22, 2013
July 18, 2016
Version 10.10: OS X Yosemite
October 16, 2014
July 19, 2017
Version 10.11: OS X El Capitan
September 30, 2015
July 9, 2018
Version 10.12: macOS Sierra
September 20, 2016
January 22, 2019*
Version 10.13: macOS High Sierra
September 25, 2017
January 22, 2019*
Version 10.14: macOS Mohave
September 24, 2018
January 22, 2019*
*Most recently published security update
Apple security updates are available here for a consolidated view of available patches and the most current software available for each of its supported platforms. Apple also publishes a “Vintage and Obsolete Products” listing here, specific to the hardware platforms, and keeps the site updated with current information.
ChromeOS Lifecycle Support
ChromeOS is like the Android operating system because it’s based on a Linux kernel, however the development teams and development cycle are independent. ChromeBooks are sold via multiple hardware companies, and Google provides automated updates and support for the operating system automatically until it reaches Auto Update Expiration (AUE). Google’s policy is to support ChromeOS for at least five years, with expected support being six and a half years from the initial hardware launch. The linked page also includes the current supported devices by vendor and product with the AUE date listed. This list is long (30 vendors) and will not be reproduced here. It’s important to note that when you buy or receive ChromeBooks, especially from a reseller, that you as the security professional determine what the serviceable life of these devices are. Then you won’t have to buy a one-year solution that will require more investment later. This especially important for the public sector, specifically for school systems.
The ChromeOS release notes provide information on changes to the features and policies for the various supported ChromeOS releases.
Linux distributions aren’t a very common desktop operating system, making up just over one percent, according to GlobalStats in November 2018. The distributions discussed here were based on surveys and popularity for desktop versions. The two we are going to look at here are Ubuntu and Mint, although there are other distributions used. I included links to some other distributions at the end of the section, but they won’t be discussed.
Ubuntu Life Cycle Support
Ubuntu is the most popular distribution of Linux, providing an operating system for desktops and servers. Ubuntu numbers are released based on the year and month of delivery, so 18.10 is the version that was released in October 2018, which is their most recent release. Ubuntu has a full version and interim release cycle, designating the full version release as its “Long Term Support (LTS)” version. Their LTS version is guaranteed to have at least five years of support, including maintenance and security updates. Minor releases have nine months of guaranteed support.
Support End Date
Ubuntu 10.04 LTS
Ubuntu 12.04 LTS
April 2020 (support extended)
Ubuntu 14.04 LTS
Ubuntu 16.04 LTS
Ubuntu 18.04 LTS
Mint Life Cycle Support
Mint is based on Ubuntu and Debian and designed to be more user friendly for installation. Like Ubuntu, Mint provide LTS versions supported for a minimum of five years.
This site provides a link to all the current versions and their support dates, also listed below.
Support End Date
August 2023 (estimated)
Remember that security testing and patches aren’t being conducted or developed by the vendor, so any vulnerability that is found after the operating system passes its end-of-life date will stay unpatched. Also, don’t forget that old hardware can cause issues. And when making a large change to your system architecture, remember to look at the whole picture.
Part Two of this blog post will cover Android and iOS operating systems. Coming soon!
Share this Post
*** This is a Security Bloggers Network syndicated blog from Blog – Delta Risk authored by Keith Melancon. Read the original post at: https://deltarisk.com/blog/tech-refresh-as-part-of-an-effective-vulnerability-management-program-part-one/