Software wears out?
In short, yes! Software doesn’t ‘wear out’ in the classical sense, but it does indeed have a limited lifespan. As technology evolves, there comes a time when it is both better and safer to transition to newer platforms even if the short-term costs don’t appear to agree. Though the idea of squeezing the most life out of a purchase and getting the ‘best bang for your buck’ is tempting, there are real dangers and significant financial risk in continuing to run outdated software. Just how much risk?
A recent study by Security ratings service “Bitsight” revealed the following:
“Study shows companies running out-of-date OSes were three times more likely to suffer a data breach, and those with the outdated browsers, two times more likely.” [1]
The reason for this risk is twofold: First, the older a piece of software is, the more time people have had to discover bugs in it. Though bugs are often present the day software is released, supported software fights this by distributing patches to keep users secure. When software goes end of life, the patches and updates cease – but bugs can still be discovered. Those still running the software are now unprotected.
Across many industries, deployments of out of support Operating Systems and Browsers are still more common than many outside of the industry, and even some within the industry might expect. It was recently found that around the time of the “wannacry” ransomware attacks, around 20% of computers looked at in a study by BitSight were still running Windows Vista, and even Windows XP.
“In an odd twist, financial services scored the same as healthcare and retail when it came to out-of-date OSes and browsers, each with 15% of their computers. That caught the researchers by surprise as well.”[2]
What can be done about it?
On the surface, the solution is simple: find all the old, unsupported software and upgrade it. But how? A manual sweep or audit of every running machine is labor intensive and error prone, and has no way of identifying a software installation that occurred after the inspection. The answer lies in a solution like Device42 that can accurately identify what you have running in your environment, and where, automatically.
After Device42 is up and running, and autodiscovery has populated it’s CMDB, you have the information you need to ensure you are protected: accurate documentation of the details about your server deployments. This data includes the applications and services running in your environment, the underlying infrastructure that supports them, and all the interdependencies.
When Device42 auto discovers information about CI’s in your environment, it records detailed information about the detected Operating System versions that are in use, as well as all the installed software. This information can be used to uncover risk, classify it, and to form a plan to mitigate the discovered risks. Correlating these discovered CI details with the network that the information was discovered on is a good way to identify the riskiest, and therefore most likely breach points in your deployment. Chances are good that there is more old software running than you’d think:
“While it wasn’t much of a shocker that outdated software raises the likelihood of a breach, Dahlberg says, the volume of machines running the older code was surprising. “The sheer number of companies that actually have this many outdated systems” was an eye-opener, he says”.
What about when we aren’t actively thinking about old software?
Device42 knows that you can’t spend all day, every day thinking about outdated software, or running reports to find out which computers are running a given outdated operating system, or even an outdated version of a browser. Though this is a simple task in Device42, these reports can be scheduled to run automatically and deliver any discovered results right to your inbox. Device42, however, takes it a step further with purpose-built End of Life and End of Support [EOL / EOS] tracking features. Simply enter EOL and EOS dates for Software and Operating Systems [In Device42’s “Software” menu, see more details here], and Device42 will take care of the rest of the legwork:
- Avoid sudden EOL emergencies or vulnerabilities that could result in costly downtime
- Get an alert when an EOS date is approaching so timely preparations can be made
- Get an email if a piece of software that has been marked EOL is found
Your operation probably still has a good security record, but past performance is not an accurate predictor of the future. If out of date Operating Systems and Software are in use, your organization could be at risk.
Leverage Device42’s powerful autodiscovery, reporting, and EOL/EOS features to help you stay on top of security! If you aren’t a Device42 user, Download a Free 30-day trial today.
If you are using Device42 to mitigate risk in your environment, we would love to hear how it has helped! Leave a comment below, or e-mail our support team at [email protected] (they love getting email!)
