Matt Middleton-Leal is Managing Director, Qualys, EMEA North and South, discussing the challenges of replacing end-of-life software and how to manage these issues.
You may not know it, but outdated software surrounds us every day. The oldest software products currently in use are the Saber Airline Reservation System and the IRS Individual Master File and Business Master File Tax Recording Systems.
These software systems were designed and launched in the early 1960s. But while these applications may still be running and doing the job they were created for, there is a wealth of other software out there that is outdated and potentially dangerous.
Old software system still in use
Software that is no longer supported or provided with security updates is referred to as “end-of-life.” The best example here is Microsoft Windows operating systems, where versions are swapped and the old one is no longer supported and receives updates.
According to StatCounter, Windows 11 and Windows 10 are the most widely used systems at 53.3% and 42.9% respectively. However, older systems are still in use, with Windows 8 (1% in total), Windows 7 (2%), and even Windows XP (0.44%) still represented. XP was discontinued in April 2014. Yet, some installations are still retained across the global desktop install base.
Windows 10 will get its own end date on October 14, 2025. For an OS that once had over 1 billion devices installed, that level of change is a major undertaking.
But why is this end-of-life software still in use? Why don’t we all move to the latest and most secure software as standard? Ideally, this is done. However, for some projects, the original developer went bankrupt or stopped providing updates.
For others, businesses don’t want to pay for a new version if the old system works fine. In some situations, it may not be possible to update the software. Changes break business processes and the cost of rebuilding that application is much higher than the revenue it generates. In others, these applications are forgotten.
Managing end-of-life software: what you need to know
Whatever the reason, that class of software represents a risk. Our research shows that nearly half (48%) of issues on the CISA Known and Exploited Vulnerability List are in outdated and unsupported software, while 20% of critical assets have software installed with known support software rated as ‘High’ or ‘Important’.
Management of this software includes a security-centric approach to asset management. This includes knowing what assets you have, who in your organization is responsible for each asset or software in your business, and what that software might bring to the table. This detail is typically not part of traditional IT asset management tools, but is key to prioritizing remediation.
Consider tracking the status of all software over time throughout its lifecycle, installation, and from general availability to retirement or end-of-support status. This includes reporting on assets that will reach end-of-life status in the next six or 12 months to allow enough time for transition planning and upgrades.
There is usually a reason for software that reaches end of life/end of support without being replaced. When it comes to the cost of implementing a change, make sure you have a documented business case and corresponding implementation budget figures.
In addition to this, you can track the value at risk to your business from that end of the software and understand how much potential downtime or cyber incidents represent to your business over time. You can then use this value to determine if and when the cost of migration is lower than the potential risk of maintaining the status quo.
The challenge of shutting down end-of-life software
The biggest challenge here is critical applications where revenue is directly tied to service running. For businesses, turning off these systems creates more resistance because downtime represents lost revenue.
No changes are made because the risk of loss of revenue is greater than the potential impact. This in itself is a risk. However, companies consider other similar points of failure and plan ahead for them. For example, hire a particularly valuable employee to be responsible for product design or the CEO. Losing them represents a severe impact to the business, so key person insurance is typically used to reduce the risk of factors beyond an organization’s control.
Even with systems that are considered “mission critical,” there are often gaps that can be exploited to implement changes. For example, one manufacturer resisted changes to the system that ran its production line. However, they will have periods where shift changes occur and the line will be stopped for a short time.
By leveraging this planned downtime and implementing changes gradually, the IT team was able to update systems and maintain productivity. So there are ways to plan ahead and reduce that risk.
overcome obstacles
What if that software cannot be replaced? Typical protections for these systems include air gaps and running on unconnected networks, but application firewalls and other security systems can be used to limit interaction to known and trusted devices.
In such situations, it is essential to understand potential misconceptions and methods of accessing the system in order to prevent potential attacks and seek patching alternatives. By deploying these countermeasures, deploying the ability to eliminate risk becomes a critical COG in a layered defense strategy.
For businesses, end-of-life software may seem like another security expense. Also, security issues are easier to overlook when important budget constraints are in place. To address this, the scope of that impact needs to be quantified in terms of money in a way that businesses can easily understand. Businesses are already mitigating other risks in this way, so the same approach can be applied.
In addition to this, there are wider implications. Attacks on assets that are rated as non-critical may be limited to that specific machine or software, but could potentially impact the wider network or be used as a springboard for lateral movement.
Businesses understand the risk that exists when their systems are compromised, but framing it in terms of financial impact facilitates support from business leadership.
The future of software exchange: Reduce dependencies and plan ahead
All software has a lifecycle. Even the systems responsible for booking flights or managing tax returns will eventually be replaced.
The challenge is how to avoid a business becoming highly dependent on any software. Rather than being seen, this software can help businesses understand challenges, potential impacts, and plan ahead.
Using value at risk to calculate the financial impact makes it easier to discuss from a position of strength in business terms, rather than relying solely on technical reasoning.
Source link
