Microsoft will stop supporting Windows 8.1 on Jan. 10, at which point the software maker says it will no longer offer point technical assistance and software updates for those systems.
Security teams at large enterprises by and large have had the end-of-life (EoL) for Windows 8.1 on their radar for some time: Microsoft’s intentions have been public for several months — and they officially ended support for Windows 7 in January 2020.
But there are a host of industries that security experts say will struggle with this most recent finale for Windows 8.1 support. In particular, small businesses, local governments, public schools, smaller commercial radio and television stations, all fall into the category of organizations that rely on specialized software and little to no budget to easily upgrade over to Windows 11 machines. Retail-hospitality, medical, and industrial-manufacturing companies will also have their challenges.
“Unfortunately, many businesses still have a heavy reliance on legacy systems, including those that operate in the industrial industry and banking sector,” said Joey Stanford, vice president of privacy and security at Platform.sh. “These industries put their digital faith in systems that struggle to be updated and can’t handle being switched off for updates. Without a plan for EoL, this can become a big security risk.”
Stanford said the Windows 8.1 EoL announcement hasn’t come out of the blue, so any risks incurred by failing to patch or update should be 100% attributed to the business in charge. While it might feel like an easy option to ignore the announcement, any system left operating on Windows 8 exposes a business to a significant amount of risk, said Stanford. A case in point: In August 2020, the FBI issued a warning to the private industry that cybercriminals were specifically targeting Windows 7 systems following its end of support.
“Ignoring the EoL date isn’t an option,” said Stanford. “However, it’s not a simple case of ‘auto-update’ for everyone. Those late to the party will have to bypass Windows 10 and go straight to 11, a much newer and more expensive OS that some won’t have the hardware to support.”
Mike Parkin, senior technical engineer at Vulcan Cyber, added that while it’s “likely” that if there’s a critical vulnerability that hits Windows 8.1, Microsoft may release an emergency patch after that date, there’s no guarantee.
“Windows 11 has been out for a while, so there’s really no reason for Microsoft to keep supporting obsolete operating systems,” said Parkin. “The real challenge is for organizations that have legacy applications that haven’t been updated to run on more recent platforms. They’re left in a position of choosing between losing vital functionality, going through an expensive and time-consuming search for a replacement, or leaving an old app running on an obsolete and vulnerable OS.”
Andrew Barratt, vice president at Coalfire, said there are really only two options for security teams and both involve planning way ahead.
First, consider the highly specialized — and often quite expensive — extended support options; or second, plan for a refresh of the operating system.
“Industries that tend to be most exposed have quasi-embedded devices using those operating systems,” Barratt said. “’Quasi’ because they’re not using a more cut down version of the OS intended for IOT or embedded use but are using a ‘black box’ approach — think cash registers, medical support devices, or even control management systems. Often systems provided by third parties fall into these categories which then makes the management of them even more complicated.”
Craig Burland, chief information security officer at Inversion6, said security teams need to draw a line in the sand and team up with their colleagues in infrastructure to beat the lifecycle drum once again. While it’s tempting to focus on the technology, this battle is more about people and process.
“The logistics of isolating systems, especially large numbers of systems, is daunting,” Burland said. “How many firewalled segments can be created with no additional staff to understand application needs and map traffic flows? How many air-gapped systems will be defeated by someone walking over a thumb drive?
Burland added that the formula for success is simple: socialize the risks of unsupported systems, set and communicate a deadline, build a process for exception to upgrading, and firm up the team’s resolve. Most organizations see IT assets as expenses that should be maximized. If a PC still functions, why replace it? It’s a difficult question to answer definitively, but the idea of cyber risk has become more widely accepted especially at the senior levels of leadership.
“This opens the door to have a discussion,” said Burland. “The most critical element of the formula is the exception process. If the business can justify the need to add risk, can explain to senior leaders why lifecycle should be ignored, and can shoulder the expense of isolating a system, an exception is warranted. Security teams should welcome those conversations, acting as partners instead of naysayers. But, they also need to be vigilant about balancing the scales of need and risk. In the end, most of the exception requests won’t meet the criteria and will be rejected. Those that are accepted will have a spotlight, exposing critical business systems with outsized risk that need special protection. Both outcomes are a win for security”.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!