Qualys is a sponsor of TechSpective
Microsoft support for the Windows 7 operating system is officially expired. That means that Microsoft will no longer invest time and effort finding or fixing any vulnerabilities in Windows 7—but there will still be vulnerabilities in Windows 7. In other words, from this point on Windows 7 will be increasingly less secure with each passing day. If you still have systems running Windows 7, you need to have a plan in place to upgrade the operating system or mitigate the risk as quickly as possible—yesterday, really.
Stuck with Windows 7
The expiration of support for Windows 7 wasn’t a secret. Microsoft made the end-of-life date known years ago, and tech and business media have been beating the drum for the past year to warn businesses and individuals that the clock was running out. At this point, there are only two reasons an organization is still running Windows 7: Either there is a reason that certain systems can’t be upgraded, or IT is simply not aware that those Windows 7 systems exist on their network.
The first issue is somewhat understandable. Companies invest in platforms and applications that are crucial to the operation and productivity of the business that require legacy services or protocols and are not compatible with a newer version of the operating system. They could upgrade the operating system to be more secure and maintain compliance with regulatory frameworks like PCI-DSS or HIPAA, but then their application would stop working. That is not a very good trade.
Ideally, the organization should be working with the software developer to update the application so it can work with a supported version of the operating system, or it should be exploring alternative platforms and applications that are compatible with a current version of the operating system so they can upgrade and remain secure without sacrificing productivity. That takes time, though.
Managing the Risk of Windows 7
In the meantime, steps should be taken to mitigate the risk of running on an unsupported operating system. The simplest—and best—solution is to pay Microsoft for extended support. With extended support, you will still receive patches and updates and buy yourself time to update or replace applications that are not compatible. There are requirements to be at least updated to a certain point, though, so some organizations won’t even be able to buy extended support.
Without that extended support from Microsoft, you need to take steps to mitigate the risk of the unsupported systems by segregating or isolating them as much as possible, ensuring other protection like firewalls and antimalware tools are in place and up to date, and remaining vigilant for threats that might target those vulnerable systems.
Many organizations continued (and still continue) to rely on Windows XP after support from Microsoft expired. Some of them learned about the risk of doing so the hard way when the Wannacry ransomware attack occurred. Wannacry exploits vulnerabilities in Microsoft Windows XP and 2003—encrypting files and demanding that users pay a ransom to regain access.
You Can’t Protect What You Can’t See
Paying for extended support or taking steps to protect the systems that have to run Windows 7 is a reasonable solution for dealing with the Windows 7 end-of-life. It does, however, require that you know which systems are running Windows 7 in the first place.
An organization might think that the expiration of Windows 7 support doesn’t affect them because they upgraded to supported operating systems years ago, and some may know they have Windows 7 systems that need continued protection and vigilance. Without an accurate, real-time inventory of all assets in the environment, though, there is no way to know for sure that you aren’t still leaving some Windows 7 systems exposed to risk.
The Qualys Global Asset Discovery and Inventory app is free and gives you complete visibility of the devices on your network—which is essential for effective cybersecurity. Regardless of the expiration of support for Windows 7, the reality is that you may have rogue, unknown, or unmanaged systems on your network that put your servers, applications, and data at risk.
With comprehensive visibility of the assets on your network, you can quickly and easily determine which systems are vulnerable and need to be patched or upgraded. You can identify systems and applications that should be decommissioned and removed. You can maintain a list of the apps that are incompatible with a supported version of Windows, and which teams or individuals use them so you can take appropriate steps to identify and mitigate risk. It all starts with knowing what is on your network in the first place.
Asset inventory will help if you’re scrambling to identify and deal with Windows 7 systems remaining on your network—but you shouldn’t stop there. There will be other operating systems and applications that will expire eventually. There will be crucial vulnerabilities discovered in platforms and applications, and threats attacking systems around the world and you will need to be able to quickly determine whether or not you’re exposed to risk, where those systems and applications are, and what steps you can or should take to mitigate the risk.
If you don’t have an accurate asset inventory, by all means get the free Qualys Asset Discovery and Inventory tool right now and find out where you still have Windows 7 systems in your network putting you at risk. More importantly, though, continue running the tool and maintain the accurate real-time inventory so you’re always prepared to deal with the next risk—and the one after that.
- Time’s Up for Windows 7 Support - January 17, 2020