Is the end life of Windows 7 last week an opportunity for cyber criminals?
By QBE Cyber Portfolio Manager Erica Constance
The end life of Windows 7 will be seen as an opportunity for cybercriminals, but it also highlights the need for effective patching strategies, according to Erica Constance.
Windows 7 end of life
On January 14th 2020, Microsoft effectively retired its Windows 7 operating system. This means the technology company is no longer obliged to provide security updates for this widely used software, although there is an option for paying customers to sign up to Extended Security Updates.
Machines with unpatched or unsupported software like Windows 7 are more vulnerable to cyber attacks, viruses and malware. That’s why cyber security experts are advising millions of Windows 7 users to upgrade their operating system - some 200 million computers are still believed to using Windows 7.
Security flaws continue to be found in Microsoft 7, even though it is now more than a decade old. In January 2020, the US National Security Agency warned of serious new vulnerabilities in Windows operating systems, including Windows 7 and the latest version Windows 10. Microsoft included a fix in its latest, and potentially last ever, update for Windows 7 on January 14, 2020.
Microsoft’s decision to pull support for Windows 7 will present cybercriminals with a huge opportunity. Bugs in software can be exploited by cybercriminals for malicious purposes and often form an important element of the tools and techniques used by hackers to gain access to networks, steal data or for cyber extortion.
Hackers seek out so-called zero-day vulnerabilities – flaws that are unknown to software developers and users – but more often than not they are able to exploit known vulnerabilities. This is because software is often not up-to-date – once a vulnerability is identified, software providers will quickly issue an update or a patch to fix the issue. However, left unpatched, systems are open to attack.
For example, the 2017 WannaCry global ransomware attack used a known vulnerability in Windows software known as ‘Eternal Blue’. Even though a fix for the vulnerability had been released several months prior to the WannaCry outbreak, the malware hit hundreds of thousands of unpatched computers around the world.
Despite the role of unpatched vulnerabilities in high profile cyber attacks like WannaCry, the problem persists. According to Gartner unpatched systems remain one of the top causes of cyber security breaches with an estimated 99% of vulnerabilities known at the time of the incident.
Every time a security flaw or vulnerability is disclosed or a system update or patch is released, cybercriminals see an opportunity, explains Verizon in its 2019 Data Breach Investigations report. Hackers are continually searching for ways to monetise vulnerabilities, either through sophisticated targeted attacks against companies’ networks and websites or un-targeted attacks, like phishing or ransomware.
In recent years some of the largest large data breaches have been linked to unpatched vulnerabilities. For example, out of date systems contributed to the massive 2017 Equifax breach. More recently, a ransomware attack at Travelex on New Year’s Eve 2019 – which led the company to take its websites offline for over two weeks – was reportedly associated with a known vulnerability in VPN software.
Hackers know that once a vulnerability is revealed, they have a limited amount of time to try to exploit that vulnerability. So fixing vulnerabilities quickly will result in greater protection. However, given the volume of software updates and the potential for patches to disrupt or reduce the functionality of critical systems, patching is not straightforward.
Cyber security experts recommend that firms:
- adopt a patching strategy that prioritises updates
- align fixes with the organisation’s biggest risks
- prioritise important vulnerabilities once they are identified
- have a plan for the remaining actionable vulnerabilities
- run up-to-date supported software on their systems, where practical
There are legitimate reasons why some machines and devices may continue to use old or unpatched software. Decisions to run unsupported software should be informed with appropriate steps taken to maintain cyber security, such as isolating unsupported systems from other networks.
Timely patching is not only good cyber hygiene but it is also basic risk management. Cyber insurers will enquire about an organisation’s patching strategy and will want to know what is being done to secure unsupported systems. Policyholders should also check their policies as some insurers apply exclusions for losses arising from unsupported or outdated systems.
Regulators are also paying more attention to cyber security and the consequences for not patching systems are increasingly severe, in terms of regulatory fines, business interruption and reputational damage. Equifax was fined $700m by US regulators for its 2017 data breach while US hotel group Marriott faces a £99m fine in the UK for a data breach under the EU’s General Data Protection Regulation (GDPR), caused by unpatched software. The GDPR gives regulators the power to issue penalties of up to €20m, or 4% of a company’s global turnover.
The withdrawal of support for Windows 7 will mean weaker cyber security for users and an open door for hackers. Many organisations have taken the opportunity to upgrade to a newer operating system, but those using unsupported or unpatched software without appropriate controls are exposing their businesses to an unnecessary risk, and one that could prove costly in the long run.
QBE European Operations is part of QBE Insurance Group, one of the world’s leading international insurers and reinsurers and Standard & Poor’s A+ rated. Listed on the Australian Securities Exchange, QBE’s gross written premium for the year ended 31 December 2018 was US$13.7 billion.
As a business insurance specialist, QBE European Operations offers a range of insurance products from the standard suite of property, casualty and motor to the specialist financial lines, marine and energy. All are tailored to the individual needs of our small, medium and large client base.
We understand the crucial role that effective risk management plays in all organisations and work hard to understand our clients’ businesses so that we offer insurance solutions that meet their needs – from complex programmes to simpler e-trading solutions – and support them in minimising their risk exposures. Our expert risk management and rehabilitation practitioners focus on helping clients improve their risk management so that they may benefit from a reduction in claims frequency and costs.
- 10 Feb 2020
- 27 Jan 2020
- 22 Jan 2020
- 20 Jan 2020
- 2 Jan 2020
- 19 Dec 2019
- 16 Dec 2019
- 12 Dec 2019
- 2 Dec 2019
- 27 Nov 2019