Microsoft Stops Supporting Windows 7, Leaving Millions of Users at Risk of Cyberattacks

After 10 years, support for Windows 7 will stop today, January 14, 2020.

According to Microsoft, when Windows 7 reaches end of support on January 14, 2020, Microsoft will no longer provide technical support for any issues, software updates and security updates or fixes. The company acknowledged that without continued software and security updates, computers will be at greater risk for viruses and malware. "Going forward, the best way for you to stay secure is on Windows 10. And the best way to experience Windows 10 is on a new PC. While it is possible to install Windows 10 on your older device, it is not recommended," says Microsoft.

According to CNN, the change will affect hundreds of millions of users because more than one-third of PCs use Windows 7. Recently, Guardicore researchers provided an incident response to an attack hitting a medium sized company in the medical tech sector. The victim network was infected with a well-obfuscated malware, hiding a Monero cryptominer inside WAV files. The attacker attempted to propagate within the organization by infecting machines running Windows 7 and exploiting the infamous EternalBlue vulnerability.

Jack Mannino, CEO at nVisium, says that if users can upgrade without any adverse operational impact, then they should upgrade as soon as they can. "If you are using a product or software built on a Windows 7 stack that you cannot immediately deprecate or air gap to some capacity, you need to isolate these systems as much as technically possible. This includes ingress controls at the host level and ingress and egress controls at networking boundaries. These include kiosks as well as devices used within medical or manufacturing areas. In many scenarios, these systems are difficult to protect against attacks requiring physical access because by nature they are deployed to physically accessible areas. In our experience, we see that these systems become immensely valuable to attackers that have access to a target's internal network. Network accessible systems with exposed vulnerabilities aid attackers in moving laterally and compromising systems across an environment."

Mehul Revankar, director of product management at SaltStack, notes that the obvious risk is Windows 7 systems will no longer receive patches from Microsoft. "Which means if a new vulnerability is discovered in Windows 7, all Windows 7 systems will be at the risk for exploitation from malicious attackers. Since there are no patches available, going forward, Windows 7 systems will become ripe targets for attackers to exploit. A quick search on internet search engine such as shodan.io reveals (https://www.shodan.io/search?query=os%3A%22Windows+7%22&language=en) that there are roughly a million Windows 7 systems connected to the internet. When the next major Windows 7 vulnerability strikes, these would be the systems attackers would go after first, own them very quickly, and cause business disruption."

"So, what should Windows 7 users do? Get accurate inventory of all your assets, and identify all Windows 7 systems in your organization," says Revankar. "Stop procrastinating, and take action. Upgrade those assets to Windows 10 or later. But if you can't upgrade for one reason or another, get them off the internet at the very least, and add mitigating controls so that only authorized users have access to them. The most likely problem is that systems will not be updated or will be slow to update. And the longer the wait, the higher the risk that this results in a costly attack."

Joseph Carson, chief security scientist at Thycotic, notes the risks associated to companies who continue to use Windows 7. "Companies who continue to use Windows 7 in their environment are having to make a serious decision in accepting the risk of becoming a victim of a cyber incident in the coming year. The end of support for Windows 7 is going to cause major security risks and challenges over the next few years globally for many governments, organizations and consumers. According to Statcounter, Windows 7 is still deployed on 1 out of 4 Windows systems which means that a large amount of devices are going to be without security updates. This will leave them exposed to vulnerabilities found after January 14, 2020."

"Companies must accelerate the replacement of Windows 7 systems or they will have an increased risk at becoming a victim of a cyber incident, data loss, service outages or suffer a huge financial losses," Carson says. "Companies who continue to use Windows 7 systems after the end of support will have to perform a serious risk assessment to determine what it will take to replace those systems. Whether they are automated systems or human interactive means further hardening of those systems is urgent and cyber awareness training is a must for employees who continue to use Windows 7 to help reduce the risks. Companies will have to decide to limit internet access and deploy more security solutions to protect Windows 7 such as network access, application control solutions and strong privileged access management to limit privileged access to the systems. However, the only true security solution is to upgrade or cease using Windows 7."

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.