Windows 7 - an opportunity for cyber criminals?

Windows 7 end of life

On January 14, Microsoft effectively retired its Windows 7 operating system. This means the technology company is no longer obliged to provide security updates for this widely used software, although there is an option for paying customers to sign up to Extended Security Updates.

Machines with unpatched or unsupported software like Windows 7 are more vulnerable to cyber attacks, viruses and malware. That’s why cyber security experts are advising millions of Windows 7 users to upgrade their operating system - some 200 million computers are still believed to using Windows 7.

Security flaws continue to be found in Microsoft 7, even though it is now more than a decade old. In January 2020, the US National Security Agency warned of serious new vulnerabilities in Windows operating systems, including Windows 7 and the latest version Windows 10. Microsoft included a fix in its latest, and potentially last ever, update for Windows 7 on January 14, 2020.

Known vulnerabilities

Microsoft’s decision to pull support for Windows 7 will present cybercriminals with a huge opportunity. Bugs in software can be exploited by cybercriminals for malicious purposes and often form an important element of the tools and techniques used by hackers to gain access to networks, steal data or for cyber extortion.

Hackers seek out so-called zero-day vulnerabilities – flaws that are unknown to software developers and users – but more often than not they are able to exploit known vulnerabilities. This is because software is often not up-to-date – once a vulnerability is identified, software providers will quickly issue an update or a patch to fix the issue. However, left unpatched, systems are open to attack.

For example, the 2017 WannaCry global ransomware attack used a known vulnerability in Windows software known as ‘Eternal Blue’. Even though a fix for the vulnerability had been released several months prior to the WannaCry outbreak, the malware hit hundreds of thousands of unpatched computers around the world.

Opportunity knocks

Despite the role of unpatched vulnerabilities in high profile cyber attacks like WannaCry, the problem persists. According to Gartner unpatched systems remain one of the top causes of cyber security breaches with an estimated 99% of vulnerabilities known at the time of the incident.

Every time a security flaw or vulnerability is disclosed or a system update or patch is released, cybercriminals see an opportunity, explains Verizon in its 2019 Data Breach Investigations report. Hackers are continually searching for ways to monetise vulnerabilities, either through sophisticated targeted attacks against companies’ networks and websites or un-targeted attacks, like phishing or ransomware.

In recent years some of the largest large data breaches have been linked to unpatched vulnerabilities. For example, out of date systems contributed to the massive 2017 Equifax breach. More recently, a ransomware attack at Travelex on New Year’s Eve 2019 – which led the company to take its websites offline for over two weeks – was reportedly associated with a known vulnerability in VPN software.

Patching strategy

Hackers know that once a vulnerability is revealed, they have a limited amount of time to try to exploit that vulnerability. So fixing vulnerabilities quickly will result in greater protection. However, given the volume of software updates and the potential for patches to disrupt or reduce the functionality of critical systems, patching is not straightforward.

Cyber security experts recommend that firms:

• adopt a patching strategy that prioritises updates
• align fixes with the organisation’s biggest risks
• prioritise important vulnerabilities once they are identified
• have a plan for the remaining actionable vulnerabilities
• run up-to-date supported software on their systems, where practical

There are legitimate reasons why some machines and devices may continue to use old or unpatched software. Decisions to run unsupported software should be informed with appropriate steps taken to maintain cyber security, such as isolating unsupported systems from other networks.

Cyber insurance

Timely patching is not only good cyber hygiene but it is also basic risk management. Cyber insurers will enquire about an organisation’s patching strategy and will want to know what is being done to secure unsupported systems. Policyholders should also check their policies as some insurers apply exclusions for losses arising from unsupported or outdated systems.

Regulators are also paying more attention to cyber security and the consequences for not patching systems are increasingly severe, in terms of regulatory fines, business interruption and reputational damage. Equifax was fined $700m by US regulators for its 2017 data breach while US hotel group Marriott faces a £99m fine in the UK for a data breach under the EU’s General Data Protection Regulation (GDPR), caused by unpatched software. The GDPR gives regulators the power to issue penalties of up to €20m, or 4% of a company’s global turnover.

Keep patching

The withdrawal of support for Windows 7 will mean weaker cyber security for users and an open door for hackers. Many organisations have taken the opportunity to upgrade to a newer operating system, but those using unsupported or unpatched software without appropriate controls are exposing their businesses to an unnecessary risk, and one that could prove costly in the long run.