End-of-Life Defenses in a Post-Windows 8 World
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Joey Stanford of Platform.sh guides us through establishing end-of-life defenses in a post-Windows 8 word.
Windows 8 is now end-of-life, or EoL. As of January 10, 2023, technical assistance and software updates are no longer provided, so everyone should upgrade to a newer version of Windows, most likely skipping 10 and going straight to 11. Ignoring this change isn’t an option. Any system left operating on Windows 8 exposes a business to a significant amount of risk. In August 2020, the FBI warned that after Windows 7 was sent to live on a farm upstate, cyber-criminals were specifically targeting Windows 7 systems that had either been missed or ignored.
So, it’s simple: upgrade and stay safe. But what if it isn’t so simple? Not every business can simply auto-upgrade at the click of a button. There may be hardware concerns, but a more likely scenario is a reliance on legacy systems that are simply impossible to upgrade. The industrial and financial sectors are especially prone to this issue, with systems that can neither be updated to newer OSs, nor turned off for essential updates. Because both are critical for business and potential security risks, there needs to be a plan in place for these systems.
There are best practices that a business can employ that limit the risk from any EoL product, not only Windows. First is planning— the Windows 8 EoL date has been known for some time, so it was possible to plan ahead. However, even if this is an issue that has only just come to light, planning remains important rather than dealing with problems piecemeal. This is also the start of preparations for the next EoL date. Any plan has to encompass all systems and be broken out by category: servers, laptops, lab equipment, industrial equipment, and so on. The widespread use of embedded technology and the Internet of Things means that it’s easy to miss something. Any piece of hardware that runs programs on Windows 8 needs to be investigated to find Windows 11-compatible programs or to completely replace the system. This can get very expensive, very quickly, but it’s important to balance this against the cost of a cyber-attack made possible by a vulnerability.
It’s important to note that manual checks are not enough. Discovery scans need to be run on networks to uncover all remaining products running unsupported versions. IT staff will need to be trained on Windows 11 rollout, but end-users will likely need less, if any, training— they’re probably using Windows 11 already. One question that should be considered is whether Windows is the right choice for particular systems. Linux or MacOS-based systems may be more suitable, and while switching over might not be simple, EoL is the right time to have this discussion. Will it reduce costs and the IT burden?
Dealing With What’s Left
Once everything possible has been upgraded or replaced, there may remain some legacy software that is, for the moment, irreplaceable. How can businesses mitigate this risk? Part of the answer is not to treat it in the same way as any other system. All Windows 8 systems should be behind a dedicated firewall, with its own intrusion prevention system. If possible, disable all remote access, so only local access is possible. If users must have remote access, do make a VPN mandatory. In addition, install a supported anti-malware solution on the affected systems.
As time goes on, more and more vulnerabilities will be discovered in this unsupported operating system, and attackers will continue to scan for places to use them. This is now your business’s cybersecurity weak spot, and just as hackers will treat it as such, so should any business that needs to maintain it. If possible, it’s best to disconnect the system from the internet entirely— while there have been methods showing that an air gap is not unsurmountable, such as through the use of USBs and nearby smart devices, hackers will generally follow the path of least resistance.
Ultimately, however, a healthy security program does not allow for out-of-date systems to exist. Running these vulnerable systems is possible, and mitigating the risks will help keep a business safe, but the cost of doing so will likely exceed that of buying new hardware and installing new software. Unless absolutely necessary, the continued use of EoL software is likely to be a false economy, and to be avoided if possible—and that’s before thinking about the costs of a breach.