14 Jan 2020
is potentially last ever, update for Windows 7
Machines with unpatched or unsupported software like Windows 7 are more vulnerable to cyber attacks, viruses and malware. That’s why cyber security experts are advising millions of Windows 7 users to upgrade their operating system - some 200 million computers are still believed to using Windows 7.
Security flaws continue to be found in Microsoft 7, even though it is now more than a decade old. In January 2020, the US National Security Agency warned of serious new vulnerabilities in Windows operating systems, including Windows 7 and the latest version Windows 10. Microsoft included a fix in its latest, and potentially last ever, update for Windows 7 on January 14, 2020.
Microsoft’s decision to pull support for Windows 7 will present cybercriminals with a huge opportunity. Bugs in software can be exploited by cybercriminals for malicious purposes and often form an important element of the tools and techniques used by hackers to gain access to networks, steal data or for cyber extortion.
Hackers seek out so-called zero-day vulnerabilities – flaws that are unknown to software developers and users – but more often than not they are able to exploit known vulnerabilities. This is because software is often not up-to-date – once a vulnerability is identified, software providers will quickly issue an update or a patch to fix the issue.
However, left unpatched, systems are open to attack.
For example, the 2017 WannaCry global ransomware attack used a known vulnerability in Windows software known as ‘Eternal Blue’. Even though a fix for the vulnerability had been released several months prior to the WannaCry outbreak,
the malware hit hundreds of thousands of unpatched computers around the world.
Despite the role of unpatched vulnerabilities in high profile cyber attacks like WannaCry, the problem persists. According to Gartner unpatched systems remain one of the top causes of cyber security breaches with an estimated 99% of vulnerabilities known at the time of the incident.
Every time a security flaw or vulnerability is disclosed or a system update or patch is released, cybercriminals see an opportunity, explains Verizon in its 2019 Data Breach Investigations report.
Hackers are continually searching for ways to monetise vulnerabilities, either through sophisticated targeted attacks against companies’ networks and websites or un-targeted attacks, like phishing or ransomware.
In recent years some of the largest large data breaches have been linked to unpatched vulnerabilities. For example, out of date systems contributed to the massive 2017 Equifax breach. More recently, a ransomware attack at Travelex on New Year’s Eve 2019 – which led the company to take its websites offline for over two weeks – was reportedly associated with a known vulnerability in VPN software.
Cyber security experts recommend that firms:
• adopt a patching strategy that prioritises updates
• align fixes with the organisation’s biggest risks
• prioritise important vulnerabilities once they are identified
• have a plan for the remaining actionable vulnerabilities
• run up-to-date supported software on their systems, where practical
There are legitimate reasons why some machines and devices may continue to use old or unpatched software. Decisions to run unsupported software should be informed with appropriate steps taken to maintain cyber security, such as isolating unsupported systems from other networks.
Policyholders should also check their policies as some insurers apply exclusions for losses arising from unsupported or outdated systems.
Regulators are also paying more attention to cyber security and the consequences for not patching systems are increasingly severe, in terms of regulatory fines, business interruption and reputational damage.
Equifax was fined $700m by US regulators for its 2017 data breach while US hotel group Marriott faces a £99m fine in the UK for a data breach under the EU’s General Data Protection Regulation (GDPR), caused by unpatched software. The GDPR gives regulators the power to issue penalties of up to €20m, or 4% of a company’s global turnover.
Sign-up to be notified about future articles from the Resilience Series, and other thoughts, reports or insights from QBE.