Windows 7 EOL Switch Now, Before Security Hazards Get You NEXUSTEK WHITE PAPER NexusTek Headquarters | 5889 Greenwood Plaza Blvd, Suite 201 | Greenwood Village, CO 80111 | 877.470.0401 | www.nexustek.com | [email protected] Windows 7 EOL White Paper I. Windows 7 – Switch Now, Before Security Hazards Get You You may think you have time. Official support for Windows 7 ends on January 14, 2020, which means that you have about six months before your deployment becomes obsolete. If you only have a dozen or even a few hundred computers running Windows 7 in your organization, you might think that you have plenty of time. Beware, that mentality can put your business at serious risk. New Vulnerability Threatens Windows 7 Implementations In May 2019, Microsoft announced – and subsequently patched – a critical software security vulnerability in older Windows systems. The vulnerability, now known as BlueKeep, takes the form of a remote code execution bug that allows attackers to execute malicious software at the heart of Windows operating systems – including Windows 7, Windows XP, and Windows 2000. Here’s the most worrying thing about BlueKeep – it’s wormable. In other words, if one computer in a network is infected with it, then malware that uses BlueKeep can scan the network to identify other vulnerable computers and then use the infected computer to launch an attack. Any malware that uses BlueKeep can spread from one computer to another and can even achieve global reach – similar to the WannaCry and NotPetya viruses that wreaked widespread havoc in 2017. These worries aren’t theoretical. Security researchers have already created a worm than can exploit the BlueKeep vulnerability. Hackers – especially nation-state attackers who have something to gain from causing worldwide chaos – can’t possibly be far behind. In short, we know that the earthquake has struck, and we’re now waiting for the tsunami. Can You Patch Your Way Out of BlueKeep? Upgrade Now Before It Gets Worse Responsible IT administrators have probably done their due diligence Even if you’ve successfully gone through the effort of about BlueKeep and applied a patch (if you haven’t, go do it now!). There patching your Windows 7 systems, there’s no guarantee are plenty of reasons why simply patching may not be enough, however. that there won’t be another critical vulnerability next First, you may have found that patching your Windows 7 implementation week – and another one the week after that. At that means scheduling downtime for a mission-critical application. If now point, you’ll have spent a great deal of effort and energy isn’t a good time for downtime – and there’s really no such thing as a patching systems that are skating on the edge of good time for downtime – you may not have applied the patch. obsolescence. Once Windows 7 support ends in January of 2020, you Second, your inventory may include dozens or hundreds (maybe even won’t even have the opportunity to patch. Microsoft thousands) of desktops. Do you have time to patch all of them? More will stop releasing fixes for the most common security importantly, are you confident in your inventory and asset-tracking problems. Only issues the size of BlueKeep or larger abilities? Some estimates put Windows 7 as comprising 39% of all will get any attention from Microsoft. As far as other desktop operating systems, which means that there’s a lot to keep vulnerabilities are concerned, your best bet will be to track of. Even if only a single Windows 7 desktop escapes your notice, hope that your firewall keeps holding on. you leave a portal for malware in your organization. Upgrading your Windows operating system to the Even though a patch for Bluekeep is already available, the conventional current version, Windows 10, is the easiest and most logical progression to help protect your business. Not wisdom around patching is this: 25% of companies patch on the first day, only do you instantly gain immunity to BlueKeep, you 25% patch within the first week, 25% patch within the first month, and 25% eliminate your vulnerability to all the other zero-days never patch at all. At this point, a patch has been out for nearly a month that will continue to affect Windows 7 in the days and – which means that 50% of Windows 7 PCs are likely still unpatched. years to come. Patching is imperfect, so a full operating Even if you’re conscientious about patching, there is a good chance that system upgrade is the best way for you to guarantee there are still unpatched Windows 7 PCs in your environment. continued safety for your data. NexusTek Headquarters | 5889 Greenwood Plaza Blvd, Suite 201 | Greenwood Village, CO 80111 | 877.470.0401 | www.nexustek.com | [email protected] 2 Windows 7 EOL White Paper II. Windows 7 Will Go Out of Compliance as it Goes EOL Much has been written about the fact that Windows 7 will make your computer more vulnerable to malware. When the system goes end-of-life in January 2020, Microsoft will stop issuing security updates for all but the most severe issues, leaving its legacy systems undefended. Viruses and malware are far from the only thing that you’ll have to worry about once Windows 7 goes EOL. Corporations dealing with healthcare information, credit card numbers, financial information, or data from EU citizens may be subject to strict compliance requirements. For example, storing your data on an end-of-life system may violate these requirements in any number of ways: Storing Data on an EOL System is a Great Way to Lose It What happens when you store data on a computer whose operating system has gone end-of-life? The first answer is “nothing good.” As time goes on, the computer will become more susceptible to bugs and errors, which increases the risk of catastrophic data loss. The longer you store your data The longer you store your on an end-of-life system, the more likely it is that you’ll lose it. data on an end-of-life You probably think that this problem is what backup and disaster recovery programs are for – and you’re right! Except, of course, that your backup and disaster recovery programs are most likely built system, the more likely it to work with supported operating systems. Are you willing to take the chance that your modern is that you’ll lose it. backup and recovery tool won’t work with an EOL system? This risk goes double for non-accidental disasters – e.g. viruses and malware. Having an EOL system means that it will be that much easier for attackers to break through your defenses and steal your data. It also means that a ransomware attacker will find it much easier to locate and delete your backups. What Does Losing Data Have to Do with Compliance? Three words: data retention requirements. The Bank Secrecy Act was designed to prevent banks from enabling tax evasion, money laundering, and other forms of corruption. It requires banks, casinos, and other financial institutions to preserve their customer records for at least five years. Banks and ATM vendors, coincidentally, are among those experiencing a general delay in their Windows 10 implementations. If they lose customer data to obsolescence or malware, their employees could face criminal penalties or even spend time in prison. Under HIPAA, covered entities are required to preserve relevant documentation for six years or more, while medical records are covered by state records retention laws – usually for around five years. Notably, the healthcare industry also has significant problems when it comes to upgrading their Windows 7 computers. By the January 2020 deadline, at least 70% of devices and computers in the healthcare industry will be running on out-of-date operating systems. You’ll find that this is a common theme. Across the industries that are governed by compliance rules with data retention requirements, the companies that comprise those industries are having difficulty upgrading from Windows 7 to Windows 10. If this was a novel, we’d call it “Foreshadowing.” NexusTek Headquarters | 5889 Greenwood Plaza Blvd, Suite 201 | Greenwood Village, CO 80111 | 877.470.0401 | www.nexustek.com | [email protected] 3 Windows 7 EOL White Paper Data Retention Isn’t Your Only Problem Even if your compliance regime doesn’t have specific guidelines about how long you should be storing data, you’re still going to encounter difficulties. For example, PCI-DSS has some broad guidelines when it comes to data storage. Under PCI, your mandate is to protect stored cardholder data. Is cardholder data fully protected if it’s stored on a computer with a depreciated operating system? Technology best practices would suggest “no”. You also won’t be surprised to know that the fines for PCI violations are steep – some in the order of $100,000 a month until your security problems are addressed. HIPAA and the GDPR also offer large fines for violators while providing a flexible definition of protection. You might store your data with perfect encryption, hide it behind a firewall, and protect it with strong antivirus…but if it’s stored on a Windows 7 PC, regulators will still be able to argue that you haven’t done your due diligence. It’s Time to Upgrade Your Operating Systems Most organizations try to make a point of storing customer and mission-critical data on Users are the enemy of systems other than desktops. Servers and cloud storage are more secure than desktops – which are constantly connected to the internet and subject to user error.