Security trumps comfort when it comes to old software

Businesses need to ask how much risk they are carrying by running unsupported platforms and consider whether investing in special support for the old, vulnerable systems will cost more than upgrading in the long run.

According to Netmarketshare, Microsoft's Windows 7 remains the leader in the desktop operating system market with a 61 percent share. Its less-loved predecessor, Windows 8.1, unsurprisingly is a long-way-back second with 13 percent.

What is surprising, though, is that the the total percentages of Windows Vista, Linux, Windows 8, and Mac OS X added together still fall short of the 12 percent market share held by the ageing great grandfather of the desktop, Windows XP.

But Windows XP dropped off extended support last April, and Microsoft has just switched off the signature feed for Security Essentials this month. 

Nevertheless, a massive contingent of enterprise customers still rely on fleets of unpatched and outdated operating systems.

Furthermore, if this announcement published last year by the US Navy's IT magazine reflects the issues other government departments and enterprises are experiencing, it seems XP may remain in support critical business functions for some time yet.

Custom support for XP within the US Navy alone is costing the US taxpayer A$11.6 million each year. Australian government agencies are also handing over similar sums of cash.

Vulnerability ecosystems

Security researchers and bug hunters are encouraged to disclose vulnerabilities after a consultation period with the vendor to allow the software company time to create and distribute the patch.

In terms of auditing systems that have a support arrangement with the vendor, this is a great result. Even so-called zero-day vulnerabilities have a limited lifetime when they are most insidious because they are invariably patched over the course of a couple of weeks. Your exposure is limited.

However, if you don’t have $9 million to pay for special support, bugs that would have once been patched now linger like a bad smell.

And it's a bad smell that gets worse with age.

The zero-day is a lot more frightening when the exposure is basically as long as it takes for you to get off that platform. These become zero+x vulnerabilities; with x being the number of days since you went out of support, and your ever-increasing exposure is measured in days “at risk”.

You are now in a position where each day that goes by, your critical, line-of-business applications that you simply cannot do without leave you open to catastrophic impact should the fleet be attacked.

Is it not more cost effective to start the planning years before these kinds of events occur, so you phase legacy systems out on time?

Of course it is, but it all comes down to priorities. Often it’s the simple tension between operational expenditure and capital expenditure.

Paying OpEx money to keep extended support going is often easier to stomach for a CIO than raising capital for a massive investment project that looks like it delivers nothing more than service continuity.

So how can you make the case for upgrade?

Security is a boardroom issue and as such needs to be discussed at the right level to get away from mid-level management in-fighting. Business cases need to be expressed in such a way that the executive understands them, crafted in plain language.

Use metrics and risk ratings and make sure you don’t use emotive statements or superlatives that will only work against you.

Work with your CIO to pitch investment in terms of business improvements or innovations and look to leverage new technologies such as virtualisation, VDI or cloud technologies to reduce ongoing dependencies on in-house platforms.

If you plan these strategies way in advance of the inevitable inflection point - when you no longer have any options - you’ll be in a better place. Whatever you do, you need to act.

Hiding the inevitable from the business, just because you don’t want to be the harbinger of doom, will only work to undermine the trust in the security team and jeopardise future investment needed to fix other strategic security issues.

As a security manager, you're the most straight-talking, no-frills expert the board has to rely on.