Windows 7 and EOL systems and their impact on the IT workload

As of January 14, 2020, Microsoft has discontinued Windows 7 support as planned for the operating system's End of Life (EOL). To some organizations, this operating system (OS) might seem like a distant memory. However, nearly 30 percent of the world’s computers -- or more than 400 million -- still run Windows 7 and are only now contemplating migration to Windows 10. Millions of users will be depending on an unsupported OS for some time after its retirement and IT teams will still be responsible for maintaining these systems.

While Microsoft will not be globally pushing out any more security patches for Windows 7 after Jan 14th, customers can pay for a security update service which will deliver patches until 2023. Failure to sign-up for and implement these patches will mean operating an OS that is vulnerable to malicious actors. IT teams will need to continue updating and patching Windows 7 as long as their company is using it -- even if they are in the process of migrating to Windows 10.

The Windows 7 retirement is a highly visible example of what is happening with many systems and applications all over Corporate America. Most businesses operate a variety of applications, all of which reside somewhere on the continuum of development, maintenance, and retirement. During the latter two stages, patch updates are often required. While some updates can be automatically performed via subscriptions, others require the manual identification and implementation of patches as they become available. This is especially true of retired or end-of-lifed applications, including those that a company may be transitioning away from, but still has in use.

It’s a tall order for IT teams to diligently identify and assess the security of a growing number of systems and applications, most of which continuously evolve, without losing track of systems that are EOL. But with the right tools and personnel, businesses can do their best to stay one step ahead of cyber attackers.

Vulnerability Identification: Awareness is the First Step

Knowing what is on your network is vital to creating a robust security program. Many IT teams struggle to establish and maintain an effective system for comprehensively identifying vulnerabilities across their network. To achieve complete vulnerability scans, several scanning tools are dependent on updated system inventories. These can be difficult to maintain when working in fast-paced development environments or areas with high staff turnover. Often, companies are running systems or software they aren’t even aware of due to inadvertent knowledge gaps or lack of documentation. Fortunately, there are solutions that are less dependent on external asset inventories. For example, Frontline Vulnerability Manager provides the flexibility to scan by IP ranges or hostnames across the network and automatically identify asset types for you eliminating potential blind spots and forgotten assets.

Effective vulnerability scanning looks for weaknesses across the entirety of a business, from firewalls to weak configurations or missed security patches. Network security auditing eliminates network drift and digs deeper into assets which can be easily prioritized.

Vulnerability Prioritization: They Can’t all be Priority #1

It is estimated by the National Vulnerability Database (NVD) that 45 new vulnerability disclosures are discovered every day, and nearly 60 percent are rated "critical" or "high" severity. However, those rankings do not universally apply to each unique organization. IT teams must be able to discern which among the multitude of vulnerabilities they face poses the most significant risk to their organization’s infrastructure and operations. This means prioritization by several different criteria that take individual company characteristics into account.

Keep the Workload Manageable

As businesses continue to use more and varied technology, and tech creators continue to develop and iterate, the need for effective vulnerability management becomes increasingly acute. Without it, your business will not be able to manage the volume of necessary updates and patches and will be at increased risk of a breach or cyberattack. Don’t let the mountain of mitigation tasks paralyze your IT team.

Mieng Lim is Senior Director of Product Management Digital Defense, Inc. Mieng takes a consultative approach to security having held prior roles in Operations, Quality Assurance and Sales Engineering. Mieng seamlessly blends technical expertise with real world scenarios to provide an entertaining and educational cyber security perspective. Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University.