End of Life a Critical Issue for Cybersecurity Professionals
Organizations around the world have extremely complex technology environments that depend upon many different components to function properly. Operating systems, hardware devices and applications all play a role in shaping our technology environments, and each of these components relies upon current security patches to remain protected against the many threats found on the Internet.
The vendors who create and distribute these products continue to supply patches for older versions of their product still in use by customers. Unfortunately for IT teams, however, all good things must come to an end. Vendors are only willing to support a limited number of older versions of key products, because of the costs involved in maintaining legacy software and hardware. When a vendor decides to end support for a product, organizations still using that product face difficult end-of-life decisions.
From an IT security perspective, using current software versions is a critical control. Many of the issues corrected by vendor patches are major security vulnerabilities that leave an organization open to attack. When a vendor ends support for a product, any new vulnerabilities discovered will remain unpatchable, leaving the organization susceptible to attack: clearly an undesirable situation!
Adding to the gravity of the situation, hackers often develop and use automated scanning tools that scour the Internet searching out systems containing vulnerabilities. Leaving an unpatched, out-of-support device connected to the Internet presents a dangerous security risk — but it happens every day.
Windows Server 2003: Dead But Not Gone
The most recent major example of a product end-of-life situation was Microsoft's long-announced decision to end all support for the Windows Server 2003 operating system in July 2015. It's not unreasonable that Microsoft decided to end support for the product — after all, it was 12 years old and organizations had five years' advance notice that the change was coming. Five years wasn't sufficient lead time, apparently, and thousands of servers still exist on the Internet running this unsupported operating system and exposed to significant risk.
Why does this happen? It's easy to jump to conclusions about ineffective technology teams or support staff who are ignorant of the changing security landscape. That may be true in some cases, but there are complicating factors that prevent some organizations from making the leap to a more modern version of the operating system.
In some cases, the organization simply can't control the operating system used on a device because it runs on an embedded system and was installed by the developer of that system. In other cases, organizations rely upon outdated software that simply can't run on newer versions of Windows products. Organizations in these situations find themselves facing an untenable choice: run an unsupported operating system, or disrupt critical business activities.
What's on the EOL Roadmap?
While the Windows Server 2003 end-of-life made national news, hundreds of other products reach the end of their supported life each year. For example, Microsoft is ending support for the SQL Server 2005 database server in April 2016. This deadline looms only a few months on the horizon for organizations that have not yet been able to make the leap to SQL Server 2008 or a later version.
Cisco is ending support for three different versions of IOS 15.1 a month later, in May 2016. Almost every technology product out there will eventually fall out of a supported lifecycle and technology professionals must maintain current and accurate information on upcoming dates to ensure they don't unintentionally run unsupported products in their environments.
Most major technology vendors have a formal structure and policy governing how they end support for a product over time. For example, Microsoft publishes detailed information on the Microsoft Support Lifecycle that describes a rigorous process for ending support on an understandable rhythm. For example, on most business, developer and desktop products, Microsoft offers a minimum of ten years of mainstream support.
During this mainstream support period, the company will provide full backing for its products including full updates, feature requests, warranty claims and other services. Once a product reaches the end of its mainstream support period, it moves into an extended support phase, guaranteed to last for at least five years.
During this follow-on period, Microsoft won't release new features, but will continue to issue security updates and provide patches to customers who purchase their Extended Hotfix Support option. The Microsoft website contains projected support end dates for a wide variety of products. For example, checking the database reveals that Windows Server 2008 will go out of support on January 14, 2020.
Oracle publishes a similar Lifetime Support Policy that follows a three-phase approach. As long as a product remains in Oracle's Premier Support status, the company will provide comprehensive maintenance and software upgrades.
The product then moves into Extended Support status, where Oracle continues to provide updates but won't guarantee compatibility between that product and newer Oracle or third-party products. Under the Lifetime Support Policy, Oracle never formally ends support for a product but will stop issuing security updates. From a security perspective, that's basically the same thing!
Keeping Your Infrastructure Current
Maintaining a current operating environment is a critical task for security professionals and it's challenging when a company may be using hundreds (or even thousands) of different products, each with its own support lifecycle.
Failing to upgrade to supported product versions, however, may expose an organization to unacceptable risk and even run afoul of legal and regulatory requirements to run a secure environment. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires prompt patching of security vulnerabilities — that's not possible if the vendor isn't releasing patches!
Organizations finding themselves in the unfortunate situation of depending upon an unsupported product for a critical business need do have options. First, isolation goes a long way. If it's possible to place the unsupported product on a separate network that is strictly firewalled, or even disconnect it from the network entirely, that prevents many threats from reaching it in the first place.
Second, security vendors offer "virtual patching" products that attempt to correct security issues that don't have vendor patches available. For example, Trend Micro's Deep Security product offers virtual patching services for Windows Server 2003.
Security professionals must pay careful attention to end-of-life announcements and understand the impact they may have on their organization's computing environment. Prompt upgrading of operating systems, applications and hardware devices helps to prevent last-minute scrambles to move to a supported platform down the road!