Virtualization Technology News and Information
Article
RSS
Microsoft Windows 7 is EOL - Five Security Experts Chime In

windows7 eol 

Windows 7 reached its End Of Life (EOL) on January 14. That means it won't issue any more software updates, including software patches that could prevent cyberattacks, to millions of computers. 

However, a large number of the world's computers, mostly found in corporate environments, are still running the nearly ten-year-old system. With Windows 7 now at its EOL, it means those PCs need to be upgraded or replaced as soon as possible.

According to Microsoft, technical assistance and software updates from Windows Update that help protect your PC are no longer available for the product. Microsoft strongly recommends that you move to Windows 10 to avoid a situation where you need service or support that is no longer available.

Is your company still running Windows 7?  Do they allow Windows 7 desktops and laptops into their network environment?  If so, what are the security implications?

Five security experts chime in to share their thoughts and expertise around this very subject.  Need answers?  This is a great place to start.

--

Rui Lopes, Engineering and Technical Support Manager at Panda Security:

"The event of Microsoft moving on from Windows 7 this month with its End Of Life means vulnerabilities will no longer be patched with security updates and support won't be available for any future bugs. Although the operating system can still be used, the vendor will not take any responsibility for any security breaches. This in turn means hackers will leverage the circumstance to create new targeted malware, as well as develop malwareless techniques to massively exploit vulnerable systems. Is it inevitable and it is for a fact going to happen.

Not only each individual Windows 7 system on the network but effectively every network with Windows 7 systems becomes more vulnerable to cyberattacks: widespread, targeted, sophisticated - with staggering costs for individual users as well as companies of any size. Enterprise industry regulatory non-compliance is perhaps the other most significant consequence: absence of updates and support for an operating system will likely mean mandatory audits will fail.

What should Windows 7 users do now? Upgrade, upgrade, upgrade - NOW. It's more-than-a-decade year old technology. For enterprises that cannot immediately replace some of their Windows 7 installs, as in the case of embedded systems e.g., some security vendors are offering advanced endpoint protection technology that can monitor and harden operating system and application execution security and contribute to significantly mitigate risk in these critical scenarios.

Product life cycles are a "fact of life" in the software industry, as resources have to be allocated to new and core developments and vendors thus need to move on. While Windows 7 will no doubt represent a significant percentage of Microsoft's installed base for years to come - challenging endpoint security players to "cover the gap" in protecting the platform - , analysts are predicting a 10% drop by January 2021 and Windows 10 running on 80% of all Windows devices by then. To put things in perspective, Windows XP still runs on 20 million PCs worldwide."

Jack Mannino, CEO at nVisium:

If you can upgrade without any adverse operational impact, then upgrade as soon as you can.

If you are using a product or software built on a Windows 7 stack that you cannot immediately deprecate or air gap to some capacity, you need to isolate these systems as much as technically possible. This includes ingress controls at the host level and ingress and egress controls at networking boundaries. These include kiosks as well as devices used within medical or manufacturing areas. In many scenarios, these systems are difficult to protect against attacks requiring physical access because by nature they are deployed to physically accessible areas.

In our experience, we see that these systems become immensely valuable to attackers that have access to a target's internal network. Network accessible systems with exposed vulnerabilities aid attackers in moving laterally and compromising systems across an environment.

Microsoft has long indicated that their intended support lifecycle for Windows 7 would be ten years, as they have traditionally maintained for other operating systems. This should not have been a surprise to anyone. The challenge is that at Windows' scale and install base, there are non-trivial consequences to ending support that will likely result in many compromises over the next decade. However, a decade is a reasonable support lifecycle for an operating system and we're better off focusing on removing security debt in our environments rather than prolonging the inevitable.  Maintaining obsolete operating systems adds significant costs and security risks to both the vendor and customer."

Mehul Revankar, director of product management at SaltStack:

The obvious risk is Windows 7 systems will no longer receive patches from Microsoft. Which means if a new vulnerability is discovered in Windows 7, all Windows 7 systems will be at the risk for exploitation from malicious attackers.

Since there are no patches available, going forward, Windows 7 systems will become ripe targets for attackers to exploit. A quick search on internet search engine such as shodan.io reveals (https://www.shodan.io/search?query=os%3A%22Windows+7%22&language=en) that there are roughly a million Windows 7 systems connected to the internet. When the next major Windows 7 vulnerability strikes, these would be the systems attackers would go after first, own them very quickly, and cause business disruption.

Now, Windows 7 users need to get accurate inventory of all your assets, and identify all Windows 7 systems in their organization. Stop procrastinating, and take action. Upgrade those assets to Windows 10 or later. But if you can't upgrade for one reason or another, get them off the internet at the very least, and add mitigating controls so that only authorized users have access to them.

The most likely problem is that systems will not be updated or will be slow to update. And the longer the wait, the higher the risk that this results in a costly attack."

Chris Morales, head of security analytics at Vectra:

"Windows 7 will keep working come January 15. Nothing will change overnight. It is true that Windows 7 will be more vulnerable to attack. That is the expectation. But I don't think the actual impact will be catastrophic.

For home users that want to cling on for whatever reasons, many of the potential problems could be mitigated using other tools and methods, like VPN, encryption, security software, and a good secure home router.

For many enterprises, they will simply sign up for Windows 7 Extended Security Updates for the next three years of coverage. This covers anything deemed critical or important.

Which means not much will change in the attack landscape for enterprises with the Windows 7 Extended Security Updates. Most major apps like Google Chrome browser will also continue to be supported with updates for all users.

For everyone else, an update to Windows 10 or a move to another supported OS should have already happened. A user should never use an unsupported operating system for public facing internet use, like browsing the web or for email. It is bad practice.

For most people, an upgrade should be as simple as a license key. The hardware requirements are fairly low compared to modern hardware. Almost any PC from the last 10 years should be able to support Windows 10. That in itself I would consider incredibly old. Most users are running Windows 7 on more modern hardware simply because they like using Windows 7 and opted to. Windows 10 has been the default OS on a new PC for some time.

If a user's current hardware does not support Windows 10 or a newer OS, it is likely old hardware that doesn't support any of the latest versions of apps either. This means not only the OS is out of date, but everything is most likely out of date, which is a much bigger problem.

I'd recommend for those users to buy new hardware."

Joseph Carson, chief security scientist at Thycotic:

"Companies who continue to use Windows 7 in their environment are having to make a serious decision in accepting the risk of becoming a victim of a cyber incident in the coming year. The end of support for Windows 7 is going to cause major security risks and challenges over the next few years globally for many governments, organizations and consumers.  According to Statcounter, Windows 7 is still deployed on 1 out of 4 Windows systems which means that a large amount of devices are going to be without security updates. This will leave them exposed to vulnerabilities found after January 14.

Companies must accelerate the replacement of Windows 7 systems or they will have an increased risk at becoming a victim of a cyber incident, data loss, service outages or suffer a huge financial losses.  Companies who continue to use Windows 7 systems after the end of support will have to perform a serious risk assessment to determine what it will take to replace those systems. Whether they are automated systems or human interactive means further hardening of those systems is urgent and cyber awareness training is a must for employees who continue to use Windows 7 to help reduce the risks. 

Companies will have to decide to limit internet access and deploy more security solutions to protect Windows 7 such as network access, application control solutions and strong privileged access management to limit privileged access to the systems. However, the only true security solution is to upgrade or cease using Windows 7."

##

Published Wednesday, January 15, 2020 8:54 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<January 2020>
SuMoTuWeThFrSa
2930311234
567891011
12131415161718
19202122232425
2627282930311
2345678