By Bharat Mistry
Cyber-criminals are always on the lookout for weaknesses in corporate IT systems. Whether these are manifest in human credulity or technical deficiencies, hackers have become past masters at exploiting any chinks in the armour. In this context, the retirement of major software and operating system versions represents a huge opportunity for the ever-agile black hat community. IT security teams should therefore be well prepared for this week’s end-of-support deadline for Windows 7 and Server 2008/Server 2008 R2.
For those companies unable or unwilling to upgrade, however, help is at hand.
Prompt patching is cybersecurity best practice for good reason. IT systems are ultimately designed by humans, meaning that mistakes inevitably get made and errors creep into code. These vulnerabilities are exploited today on a massive scale by a cybercrime community that has become adept at sharing threat intelligence and attack tools and techniques. Exploiting these software flaws is often the first step in a sophisticated information-stealing raid, a majorransomware infection, a cryptojacking or banking trojan attack, and many other cyber-threats. The majority of the vulnerabilities reported through our Zero Day Initiative (ZDI) program in the first-half of 2019 were rated “high” severity, which is bad news all round.
That makes it crucial for IT admins to patch any flaws, thus minimising corporate risk exposure. However, when a product reaches end-of-support, as Windows 7 and Server 2008 did on Tuesday January 14, the vendor no longer issues patches. Organisations should in the first instance consider upgrading in order to stay secure. After all, you can be sure that the hackers will be actively looking for, and maybe even already sitting on, new vulnerabilities to target any company that is still exposed after this date.
When upgrades aren’t the answer
However, there’s one big problem: things aren’t so simple for many companies. Major upgrades of thousands of enterprise machines can be expensive and time consuming, while extended Microsoft support carries with it its own prohibitive costs. Some may not even be able to upgrade because of incompatibilities with mission critical applications that won’t run on newer OS versions. In Operational Technology (OT) environments like factories and hospitals, Windows 7 may have been embedded into a device or controller, meaning the company can’t upgrade without voiding the manufacturer’s warranty.
Protecting your key assets
This is where third-party security tools can come in handy. At Trend Micro we have built next-generation intrusion prevention technology known as “virtual patching” into our products to protect servers and endpoints from threats targeting unpatched systems. The technology recognises and blocks attempts to exploit software and OS vulnerabilities, even in the absence of security updates from Microsoft.
With virtual patching in place, you not only get to extend the value of existing assets by being able to run legacy operating systems and apps in a highly secure environment. The functionality also ensures no unnecessary IT downtime while patches for supported systems are tested, and means you don’t need to roll-out emergency patches in the event that a major breaking exploit is discovered.
That’s good news for stretched IT teams and ensures the organisation is insulated from the financial and reputational repercussions of any downtime or security breach.