This article was originally published by Forbes on September 26, 2023.
Enterprises always need to be aware of the latest threats churning in the cybersecurity landscape. Still, some of their most significant business risks aren’t zero-day attacks or sophisticated new supply-chain worms. They are trusted systems that have been in use for years.
In fact, they’ve been around too many years and have reached the end-of-life (EOL) stage, when a provider has ended mainstream support but still offers limited extended support or even end-of-service-life (EOSL) when support of all kinds has vanished. EOL concerns can apply to hardware, software, mobile devices and Internet of Things (IoT) devices. What they have in common is that, without patches and updates, they can leave your organization vulnerable to a growing number of threats.
Known but unpatched, vulnerabilities are among the favorite targets for attackers because they’re easy to exploit. Developing a novel attack requires a lot of resources, so cybercriminals will continue to exploit unsupported systems until there are too few instances for it to make economic sense.
Organizations need comprehensive visibility into what’s on their network, including their security controls, what apps are running on them and whether they are being supported. If not, you can open yourself to damaging attacks and failed compliance audits.
Understanding The Risks Of EOL Assets
As with other security issues, it’s essential to prioritize risk, so it helps to be aware of what the various stages of EOL mean to your organization. For context, let’s look at the example of Windows Server operating systems (OS).
Windows Server 2016 reached its EOL in January 2022 when mainstream support ended, but it will continue to receive extended support—patches, but no bug fixes—until 2027. Organizations running Windows Server 2016 should be aware of the status of this OS, but for the most part, they need to apply the patches that are issued.
Windows Server 2012 and 2012 Release 2, for which mainstream support ended in October 2018, has a hard deadline approaching soon. The OS will lose extended support on October 10, 2023, after which it will receive no updates of any kind. Organizations running this OS should have been making changes already.
Windows Server 2008 and 2008 R2 reached EOSL status in January 2020. If you are running this OS, it is no longer considered safe and can put the business objectivities dependent on these systems at risk. It is strongly recommended that this version be replaced.
A common problem, even with entirely unsupported devices and software, is that organizations often depend on them. A 2020 study by Rapid7 of unique Windows Server instances found that 59% were unsupported. Meanwhile, vulnerabilities will accumulate for as long as the OSes stay in use but unpatched.
Another concern with EOL assets is compliance with regulatory mandates, which can range, depending on the business, from Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) to security standards set by the National Institute of Science and Technology (NIST) and the Payment Card Industry (PCI).
The PCI Data Security Standard (PCI DSS), for instance, is particularly keen on calling out unprotected systems. Compliance with PCI is mandated in contracts between businesses, card providers and the banks that process transactions. So, running an EOSL server in a card data environment (CDE) can cause an organization to fail an audit. Companies can add compensating controls to stay within the requirements, but those are, at best, a band-aid solution. They will soon need to upgrade to a fully compliant system.
Why Real-Time Visibility Of Assets Is Critical
Many organizations don’t have a good handle on all the assets in their environment. Visibility—or, in terms of the IT operations room, observability—is a big problem. A comprehensive asset intelligence approach should be considered to protect systems and avoid the fines and penalties of compliance failures. This can help provide visibility of all assets and deliver real-time telemetry about their status.
Comprehensive asset intelligence goes beyond tools and encompasses organizational requirements and operational shifts. For example, shifting from a reactive to a proactive organizational mindset helps establish the foundational requirements to succeed. This proactive mindset may include a focus on the optimization of existing security controls, processes to mitigate environmental drift across those controls and exception-based alerting to identify anomalies quickly.
These changes may also require the realignment of security, IT operations and GRC teams to focus more resources on strategic prevention, optimization and business alignment initiatives juxtaposed to incident response and firefighting. These adjustments across technology, talent and tactics can prove less resource-intensive, more capable of maximizing ROI and better aligned with the business mission. To achieve this level of maturation, visibility is essential.
If you have visibility, you can start prioritizing and remediating. For example, you can identify 1,000 devices that are EOL. Of that 1,000, maybe 200 also lack up-to-date, functioning endpoint security and related controls; of those, about 20 have sensitive customer data or other PCI-relevant data. IT teams can then begin by upgrading the most critical systems first.
Assets nearing or reaching their EOL stage abound in many organizations, often below the radar of IT teams. They pose a severe risk to cybersecurity and IT operations if not addressed. Gaining visibility is the first step towards eliminating the problem.