Just as you wouldn’t take a cross country trip the moment your ‘check engine’ light comes on, you shouldn’t milk a piece of kit or software beyond its EOL date. Vendors, for good reason, will purposely mark software in a specific way to let organisations and their IT partners know it’s no longer fit for purpose or safe to deploy.
That doesn’t stop many organisations, however, and the majority of medium to large organisations are running at least one piece of EOL software, despite vendor warnings and counsel from channel partners. It’s no wonder then that a recent global PC Trends Report found that 55% of all software worldwide was out of date, and many operating systems in current use were out of date, too.
Channel partners have a big part to play in ensuring customer organisations maintain the various types of software they rely on, be it legacy software, commercial enterprise software, open source software or a mixture of on-premise and cloud deployments. Ignoring the crucial ‘check engine’ sign will not only lead to operational problems, but also leave the entire organisation at risk. No trusted advisor would want to carry the can for that. But why do so many organisations continue to use EOL software in the first place?
The worst-case scenario is worse than you may think
Many legacy products going EOL now were likely released when testing methodologies were different, and long before bug bounty programmes became the norm. This means that it’s unlikely they went through the kind of rigorous testing that modern vulnerability testers and hackers use today.
Partners offering to test their customers’ old software products with contemporary tools will invariably detect vulnerabilities that the vendor missed in the first instance. They can also educate customers against complacency. Vendors rarely bother to issue security updates for discontinued products, which means that, even if new vulnerabilities are found, EOL products are unlikely to receive the patches needed to guarantee safety. Without intervention, they’re sleepwalking to inevitable disaster.
Finally, these older software products might also suffer from operational issues such as lack of compatibility with newer products or protocols, poor reliability and higher maintenance costs when, for example, that software itself has either hardware, OS or other software dependencies. This is another opportunity for partners to be proactive, particularly when coming across EOL assets in the context of new IT initiatives. Should customers remain reticent about EOL replacement, point out that their older products may not be compatible with today’s strict compliance and insurance requirements, making them more susceptible to breaches and more likely to be hit with hefty fines when they happen.
Why ‘if it ain’t broke, don’t fix it’ isn’t good enough
There’s no single reason why organisations fail to update or retire EOL software, though it often comes down to budget saving, lack of awareness or pure institutional inertia, or all of the above.
In the case of inertia, the organisation is unlikely to put real effort into mending something that, to their eyes, doesn’t need mending. It’s easier to continue using the same, familiar technology stack across users, administrators and clients where there are long-standing workflows that no one wants to disrupt. The instinctive reticence to “replace something that still works”, and treat this as an unnecessary, even wasteful expense, is difficult to shift, even if, ironically, it costs more in the long run when EOL software leaves them open to attack.
All these mindsets are common and understandable. But those partners who aspire to occupy the trusted IT advisor role with customers should ask themselves whether they unwittingly contribute to any of these factors. In other words, are you part of the problem? If so, it’s time to confront customers with the reality of their situation and offer practical routes to mitigating the associated risks.
The best time to start is now
Given how poorly organisations have dealt with replacing older products in the past, it’s very unlikely that many will do much better in the future, and for everyone that doesn’t, history teaches that a breach is a real possibility. Partners that enable organisations to recognise that this is a significant security risk, and treat it as such, are doing them a favour. Mitigating this risk involves awareness, preparation, and if needed, response.
A proper inventory of all IT assets and the software versions installed on them is the first step. Follow that up by identifying which products are obsolete, and which are about to reach EOL, then decide if and how to replace these. Such products can include the now-retired Acrobat Reader, Acrobat Flash and older Windows versions of Windows 10 Windows 7. From this week, the Home, Pro, Pro Education and Pro for Workstations editions of Windows 10 version 1909 and Windows Server, version 1909 will reach its end of service.
Organisations should be also be advised to adhere to the latest patches, especially in the case of security products, some of which can have hidden critical security flaws for years. A next-gen security platform is a prerequisite for securing the organisation if an attacker does find a way inside by leveraging vulnerabilities in older products.
Thom Langford is security advocate at SentinelOne
