According to recent guidance from the National Cyber Security Centre (NCSC), part of the UK Government that provides advice and support for the public and private sector in how to avoid computer security threats, the risks of using obsolete software are significant and result from two compounding factors:
- Absence of security updates increases the likelihood that exploitable vulnerabilities will become known by attackers
- Latest security controls and protections are absent in older software, increasing the impact of vulnerabilities, making exploits more likely and making detection more difficult
To this point according to research undertaken by BitSight, leaders in security ratings, if more than half of an organisation’s endpoints are outdated, its chances of experiencing a breach nearly triples. These findings highlight the seriousness of the risk posed by outdated software, browsers, and operating systems. The fact is, failing to update software doesn’t just mean you won’t have the latest version at your disposal — it means you could expose your organisation to major security vulnerabilities.
The problem with obsolete software is that, over time, new vulnerabilities are discovered that can be exploited by relatively low-skilled attackers. Products such as antivirus offer even less protection than that achieved on up-to-date systems, as signatures are typically not tuned to detect attacks targeted at obsolete systems.
One of the major risks of outdated systems is increased vulnerability to a ransomware attack. After the WannaCry outbreak — which hit more than 160,000 computers around the world in 2017 and caused no end of damage — organisations are more aware of the consequences, but still, this doesn’t mean that they won’t use outdated systems.
Devices connected to your network could be more integral to your business than you think. A virus infection of a single device has the potential to cause a major business disruption if allowed to spread throughout an organisation. A timely response to security-critical events, therefore, becomes increasingly important if obsolete software is present, to reduce any compromise spreading. However, this can place significant demands on an already overstretched security team.
The NCSC recommends, therefore, that obsolete systems should be treated as untrusted, as should processed data and files sourced from the Internet, even if originating from a known third party. Likewise, while it’s critical to look within your organisation for outdated systems, it’s just as important to assess your third parties. For example,if one of your vendors manages critical data for your business and accesses your network using an outdated browser, that vendor could be inadvertently exposing your (or your customers’) data to risk.
Convert obsolete client systems to thin clients
One mitigation technique recommended by the NCSC is to convert obsolete machines to thin client devices and use them only as an access mechanism to trusted internal services. Web browsing and business productivity applications can be performed via Web Applications or a VDI environment running a patched modern browser.
The approach applies equally to third party organisations where their own devices are used within or to connect to your environment — for example, suppliers that manage services within your enterprise environment. To this point, we have been working in collaboration with UK Government to develop Paradox, a secure operating system and management platform for converting legacy devices into cost-effective endpoints that offer a modern browser experience.
There is no doubt that the WannaCry attacks were a wakeup call for security teams and revealed the large number of organisations that use outdated systems and ignore critical updates. My recommendation is to apply critical system updates. Google, Microsoft, and Apple frequently update their software and communicate the vulnerabilities that get patched with each release. Although it may be difficult for large companies to update every computer on their networks, IT teams should at least examine whether any computers on their networks are using outdated versions of operating systems. The good news is that with Paradox this is achievable without breaking the bank. Paradox is also resilient with local redundancy and an automatic failover capability for each device, allowing organisations to confidently maintain uptime and service levels, even on old equipment.
Today thousands of companies are still using outdated operating systems and Internet browsers, increasing their chances of experiencing a data breach or some kind of security compromise. As more devices are connected to their networks, companies without robust endpoint security controls and a secure operating system are likely to be exposed to more cyber-attacks in the future.
Written by Bernard Parsons, CEO, Becrypt