By Jack M. Germain
May 4, 2021 04:00 PT
On April 26, Kaspersky released the results of a survey showing that nearly a quarter (22%) of PCs are still running the Microsoft Windows 7 operating system at the end of their life, which ceased to receive general support in January 2020.
When operating systems reach the end of their life, vulnerabilities will remain on the system without patch updates to fix the issues, providing potential avenues for attackers to gain access. Therefore, updating a system’s operating system is essential to protect networks from this preventable problem, according to Kaspersky.
Using an end-of-life operating system that no longer receives security updates is like driving a car with a brake light on. The likelihood of disaster is high and yet it is difficult to convey this to users of such systems without it appearing to be a ploy to get them to spend more money, suggested Oliver Tavakoli, CTO at Vectra AI.
“It would be a good place for a government or NGOs to step in to provide upgrading incentives and programs, as it makes the whole ecosystem safer,” he told TechNewsWorld.
Those who still use Windows 7 are consumers, small and medium-sized businesses (SMBs), and very small businesses (VSBs). The survey points out that nearly a quarter of VSBs are still using the outdated operating system because they lack dedicated IT staff.
A temporary alternative for business users is to purchase Extended Paid Support for Windows 7 from Microsoft. However, this means an additional expense.
Kaspersky’s results also showed that less than 1% of people and businesses are still using older operating systems, such as Windows XP and Vista. Support for these older operating systems ended in 2014 and 2017 respectively.
That leaves 72% of users running Windows 10, the latest version of the Windows operating system.
Updating your operating system might seem like a nuisance to many, but operating system updates aren’t just there to fix errors or activate the latest interface, according to Oleg Gorobets, senior director of the OS. product marketing at Kaspersky. The update introduces fixes for bugs that can open a gaping door for cybercriminals.
“Even if you think you are vigilant and protected when you are online, updating your operating system is an essential security element that should not be neglected, regardless of the presence of a third-party security solution”, he advised.
If the operating system is outdated, it can no longer receive these critical updates. He likened the reasoning to an owner of an old crumbling house installing a new door. It makes more sense to find a new home, as soon as possible.
“The same attitude is needed when it comes to ensuring the security of the operating system you trust every day with your precious data,” Gorobets added.
Mitigate attack vectors
Knowing the risks of continuing to use an end-of-life operating system is a good start. But acting on it is a smarter way to end, the report notes.
Kaspersky recommends several measures to protect yourself or your business.
If upgrading to the latest version of the operating system is not possible, organizations should factor this exposed attack vector into their threat model. Make sure to create smart separations of vulnerable nodes from the rest of the network.
For example, an embedded systems security solution may provide support that allows you to run an operating system as old as Windows XP SP2 that runs on systems with very low specifications.
Use cloud and endpoint security solutions with exploit prevention technologies. There are also small office security applications that help reduce the risk of exploitation of unpatched vulnerabilities found in outdated operating systems such as Microsoft Windows 7 and earlier.
As an organization with no other option, make sure that your devices are hardened, that the firewall rules are restrictive for them, and that they are all on a separate part of your network. , using internal VLANs or firewall zones.
Lack of full disclosure
Other sources covering the market share of each version of the Microsoft Windows desktop operating system have similar percentages for Windows 7 as in the Kaspersky study, noted Dirk Schrader, global vice president of research on Microsoft. security at New Net Technologies.
“Unfortunately, there is no mention of basic data on the number of verified devices,” he told TechNewsWorld.
Microsoft has asked OEMs of PCs and laptops to end the sale of Windows 7 as a preinstalled operating system by October 31, 2016, just four and a half years ago. Many businesses and local or state governments have policies in place for the use of computer hardware where the expected life of a device is longer than the time elapsed since that date, he observed.
Public procurement policies often have no contingencies for outdated operating systems. They apply the notion of “it always works”, which is dominant in discussions when decisions need to be made about where to spend money with limited budgets.
“It will be interesting to see how this percentage will be affected by the initiatives of the Biden administration over the next twelve months. As the digitization efforts will require additional systems, it is highly likely that the existing systems will remain unchanged,” said Schrader.
Either way, organizations that are still using Windows 7 are easier targets for cyber attacks due to the lack of updates (if they haven’t signed up for extended paid support) and are likely facing public backlash and loss of reputation in the event of a data breach. , he added.
“There is also the impact that such a scenario could have on cyber risk insurance status,” Schrader observed.