In a recent webinar, we covered the topic of vulnerability and patch management. This post will drill down into the headache surrounding of end-of-life (EOL) software. The category of software is also known end-of-support (EOS) software. Nothing lasts forever. At some point, software will reach the end of support and maintenance by its developers. This can happen to a software program overall or for a past version of software that has since been updated.
When a program reaches this stage, the software is no longer updated or patched by the company that created it. Any security vulnerabilities or bugs that arise will not be fixed. For threat actors, the organizations still using EOL software are a goldmine for attack targets.
- Ransomware can infect organizations after taking advantage of un-patched systems.
- Data breaches and credential theft can occur if a network is infiltrated due to a vulnerability.
- EOL software can become a part of a botnet used by threat actors to execute Distributed denial-of-service (DDoS) attacks on others.
Once-popular software programs that are now end-of-life include:
- Microsoft Windows 7
- Microsoft Windows Server 2008
- Microsoft Office 2010
- Microsoft Office 2013
- Microsoft Internet Explorer
- Adobe Flash
In the coming months, this program will be EOL:
- Microsoft Server 2012 will be EOL in October 2023
The Center for Internet Security released a report on more software that is not being supported on their website. Given the multitude of software and systems in an environment, auditing the hardware and software systems and their patch status is an important first step.
Reasons End-of-Life Software Abounds
Given the danger of EOL software, why do IT and company leaders allow this the risk to persist?
- Money: Installing and upgrading new systems can be a significant investment. Company owners expect the IT software and systems they invested tens of thousands of dollars in to last. The money required to move from an EOL software can go beyond software itself. Sometimes an upgrade will require new and more powerful hardware to run it.
- Effort: In addition to money, the effort to upgrade or patch a system can be immense. A company may not have internal IT confidence to make it happen.
- Fear: Patching or upgrading an EOL software can risk bringing down an IT environment, or even a real-world operation depending on the system.
- Naivety: The opposite side of the coin from fear of a change causing damage is the lack of fear that an attack will impact a company. Cyberattacks impact companies of all sizes and types. Threat actors deploy mass campaigns attacking systems and do not discriminate.
- Awareness: Lack of knowledge about the software in their IT environment is also common.
What to Do If You Run End-of-Life Software
Plan A: Update
Certain versions of a software might be EOL. The solution could be as simple as upgrading from one old version to a new version. Sometimes paying for a new version might be required, but the investment will be well worth it. Before proceeding to future contingencies, be certain that there are not patches available. Ask the system creator about the existence of support and patches for your old programs. If possible, you should back up your systems and test the new patch before rolling out in production environments.
Plan B: Replace
Replacing the software with another that can serve the same purpose is the next option. For example, take an old enterprise resource planning (ERP) software system that was installed in the 2010s. The company that developed it has since gone out of business. The ERP software has been engrained in operations for a decade and vital for all employees. The software has not been patched or updated for years and is at risk of being used as vector for attack. The company should migrate from the EOL product to a new product that has the support of its developers. The switch could be tough, but running on un-patched ERP software is a ticking timebomb.
Plan C: Add Additional Security Controls
The very last plan to put in place if you absolutely cannot upgrade or replace a software system is to build and monitor security controls “surrounding it”. Dark Reading has helpful tips in this scenario. Their article recommends segmenting the relevant system within your network and monitoring the traffic.
“If your organization is operating with old, decommissioned, and nonsupported operating systems or software that can no longer be patched, you have to isolate those systems on a separate network and control all inbound and outbound traffic via firewall rules to limit the surface layer of attack,” said George Gerchow, chief security officer with Sumo Logic.
The article goes on to recommend limiting the users who have access to the EOL software and even limiting the physical machines that the EOL system is installed on. Trend Micro describes additional controls that can be added in their report:
- Use the built-in security controls from the old systems to harden the systems.
- Use intrusion detection and prevention systems (IDS/IPS) to detect against network attack vectors.
- Monitoring the integrity of system files and flag anything suspicious.
If you have questions about the best course of action, send us a message.