Kaspersky: Use of end-of-life operating systems "incredibly problematic" for business

Despite the fact that cyber crime is quickly growing in scale and complexity, many businesses are still relying on outdated operating systems that leave them exposed to attackers.

Cyber attacks have become a major consideration for organisations in today's interconnected world. According to the Centre for Economics and Business Research (CEBR), they cost UK businesses £34bn last year. In 2018, US companies lost $654bn as a result of cyber crime.

But given that these threats are growing in scale and complexity, why are so many businesses not taking steps to protect themselves? One reason, according to Kaspersky, is that they're relying on outdated operating systems and software.

In fact, new research from the cyber security firm found that 40% of very small businesses (VSBs) and 48% of small, medium-sized businesses (SMBs) and enterprises are still using an end-of-support desktop OS like Windows XP or Windows 7.

What creates huge risk for organisations is that these operating systems no longer receive updates and bug fixes from the vendor, leaving them exposed to vulnerabilities that could be leveraged by cyber criminals. Kaspersky has warned that "this situation creates a security risk".

The question is, why are businesses still relying on these unsupported systems? Principal security researcher David Emm says that while it may seem obvious that businesses must upgrade from unsupported systems, the reality is far less straightforward. Sometimes, businesses just don't have the money or understanding.

He tells IDG Connect: "There are significant costs associated with migrating to a new operating system. The financial implications can include not only the cost of upgrading the software, but investing in new hardware required to support the new operating system.

"On top of this, there's the cost of IT resources required to roll out the update across the organisation. The problems are compounded where a company is reliant on bespoke software written for the old operating system. This code might not run on the new system and it might not be feasible to re-write it for the new system."

Lucrative targets

Emm describes the situation as "incredibly problematic", particularly in the UK. He explains that there is a "significant number of businesses relying on unsupported and unsafe systems", making them ideal victims for cyber criminals. Unsupported operating systems and software are known to contain security vulnerabilities, which makes them easy to attack.

"Attackers are always on the lookout for vulnerabilities that they can exploit to install malware on systems. But in the case of an unsupported system, such vulnerabilities go unpatched, leaving the system wide open to attack," says Emm.

"On top of this, attackers can obtain clues about where to look for possible bugs by tracking the fixes put in place to deal with vulnerabilities in newer operating systems - for example, Microsoft's regular monthly ‘Patch Tuesday' releases. In some cases, vulnerabilities identified in a newer operating system apply also to its predecessor - but the latter will remain unpatched."

Emm believes that the use of unsupported systems can have a "devastating" effect on all stakeholders within a business. He says: "It essentially means that all sensitive and valuable information circulating in an organisation is open to theft - intellectual property, customer data, etc. In addition, a successful compromise allows an attacker to carry out reconnaissance for future attacks."

When asked if there are any other threats businesses should be aware of when it comes to using outdated operating systems and software, Emm responds by saying many relate to functionality and productivity. He continues: "There's a greater risk of outdated systems breaking, or performing less efficiently - directly affecting a company's ability to operate effectively."

Threats are varied

For businesses using these operating systems, most aren't aware of the security implications involved. And often, the threats vary between different outdated systems. "The older the operating system, the more chance that something can go wrong. Specifically, with an older system, it becomes increasingly difficult to patch vulnerabilities and therefore it is more likely to become problematic," says Emm.

"With that in mind, we recommend that businesses use an up-to-date version of the OS with the auto-update feature enabled. Alternatively, if upgrading to the latest OS version is not possible, organisations are advised to take into account this attack vector in their threat model and to address it through smart separation of vulnerable nodes from the rest of the network, in addition to other measures."

As a researcher, Emm has witnessed a range of significant security breaches where the use of outdated systems was involved. He continues: "Exploiting vulnerabilities is a key method for compromising business systems. So there are numerous cases where outdated systems are the cause of a significant breach.

"Perhaps the most notorious example was the WannaCry epidemic of May, 2017. While Microsoft fixed the bug in supported systems, allowing companies to protect themselves, unsupported systems (running Windows XP) were left exposed. In the wake of the attack, Microsoft took the unusual step of providing a patch for Windows XP, notwithstanding the fact that it was an unsupported system."

It's estimated that WannaCry impacted more than 200,000 victims and infected more than 300,000 computers, making it one of the world's largest cyber attacks. Emm says: "The attack wreaked chaos across the world, with the NHS in particular suffering massively as a result.

"This incident was yet another chilling reminder that attackers can make full use of exploiting bugs in software vulnerabilities, and that unsupported systems offer them these opportunities. It would be unwise to rely on Microsoft, or other operating system provider, providing out-of-band patches for unsupported systems. WannaCry was an exception because of the numbers affected."

Mitigating these threats

Clearly, businesses should stay clear of outdated operating systems and software. Is there an onus on vendors to ensure customers do so? Emm says: "The key thing is for manufacturers to be as transparent as possible. By publishing a clear life-cycle for the OS systems, making it clear when they will end support for each version, they allow businesses to plan their migration to newer systems."

However, while manufacturers need to implement better transparency initiatives, Emm says businesses also have a responsibility. "Particularly, to actually pay attention to product life-cycles and thus, have a migration plan in place ahead of the end of life of an OS. They must also take action to understand the dangers of old, unsupported systems," he says.

Emm concludes: "Lastly, businesses must try to avoid simply thinking the problem is solved by paying for extended support for operating systems from a vendor. This is only a stop-gap to give them some extra time to implement a long-term solution. Businesses must ultimately therefore aim to switch to an operating system that is supported."