Announcement

Collapse
No announcement yet.

Vulnerability management for EOL systems

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Vulnerability management for EOL systems

    The End of Life (EOL) for Windows 7 has been all over social media recently, and today is the day that support ends. I have the luxury of having no windows 7 systems in my environment, but many of you may not be so lucky.

    What techniques and compensating controls are you using to help mitigate the risks of continued use of Windows 7 or other EOL systems in your environments?

    -AC

    ----
    Twitter: @AccidentalCISO
    Blog: https://www.accidentalciso.net/

  • #2
    For Windows Server 2008, we purchased extended report for a few select servers.

    Windows 7 is almost gone, just lingering machines, no specific reason other than pesky users. We are limiting their abilities to function, such as no corporate VPN anymore on them.
    Frank McGovern
    @FrankMcG
    Founder - TheIKE, Blue Team Con

    Comment


    • #3
      Laughs in windows XP and 2003.

      Hypothetically dealing with this issue at the moment, isolated all the machines as much as possible, luckily they are Virtual systems, the base system has all our standard controls in place. We only allowing whitelist website access. End point malware/behaviour detection in place to alert and lock down anything apart from "Expected Behaviour", Pen tests happening every Quarter, daily reports on malware/behaviour/detection updates produced and reviewed. Additionally we have a few other things in place to protect them.

      Not perfect but best we can do for [Reasons]

      Comment


      • #4
        Windows 7? Hypothetically if we had any Windows 7 machines we'd be applying the same controls and procedures that we'd have in place for the Windows NT, 2000 and 2003 servers.
        Isolation, Firewall rules/ACLs on VLANs, Host based IDS, restrict access to specific systems, ensure endpoint etc is up to date.
        Vulnerability scans are scheduled and we test as much as we can. There are plans in place to move websites etc off the 2003 servers, real world "make this happen" is fighting change control, budgets, expertise and the ability to make really old stuff work on newer OSes.

        Comment


        • #5
          Extended support for the few remaining systems, but also a good one is to mention that any extended usage would require audit and executive sign-off, that's usually enough to scare a business group into jumping on the upgrade bandwagon. Toot toot!

          Comment


          • #6
            I've been in the unfortunate position of finding companies that seem to have been running their own private OS museums. NT4 and windows 2000 seem to follow me like a bad smell, although not seen an OS2 warp for a few years.

            2 main prevention approaches, white listing applications and network segregation (if not physical seperation). I've also seen virtualization used to wrap further controls round the box's and also used published apps to be reduce exposure.

            The other approach used was to do an analysis of what was really required and try to minimise the exposure. For example, remove/ disable as many of the apps as you can. (Do you need calc or image viewers?).O system we had we managed to identify the times when the system was needed so it was only run for 2 days a month.

            Further detection controls such as IDS can be used but they end of life after a few years...

            The biggest failure I've seen on whitelist controls is deployment of the application but never tuned or turn off soon after implementation so monitoring controls on the software need to be invoked.

            ​​​

            Comment


            • #7
              Great info so far, folks! Thanks! Love the layering of controls to mitigate the risks!
              -AC

              ----
              Twitter: @AccidentalCISO
              Blog: https://www.accidentalciso.net/

              Comment


              • #8
                I know of one company in my part of the state that has a single point of failure production system built into a Win95 virtual on a Win98 hardware box. That hardware is old enough to drink.

                Sometimes the business refuses to pay to upgrade an application, because they've never been hit hard enough to consider the cost the risk presents. Some people need to stick the fork in teh socket to realize that's bad, and some won't survive the experience. Natural selection applies to orgs as well.

                Comment


                • #9
                  Thought exercise... would it be unethical to plan a failure in such a system to force the issue?

                  At some point, the hardware in that system is going to go, so somebody might as well get to choose the most opportune time for that to happen. If the equipment is left to choose on its own, everyone knows it will be at the worst possible time.

                  Following the "planned" "outage"...

                  "Sir, we were able to source a new system board to replace the failed one, but it took us a few days and we have no guarantee of quality. This equipment is only getting older and we aren't certain we'll be able to do it that quickly in the future. If this system is critical to the business, it's time to start planning an alternative path."
                  -AC

                  ----
                  Twitter: @AccidentalCISO
                  Blog: https://www.accidentalciso.net/

                  Comment


                  • #10
                    Not at all, so long as you plan it properly. This can impact the 1/3 of security the business always cares about - Availability. If a temporary planned outage is what ti takes to keep things running over the longer term, go for it.

                    Comment


                    • #11
                      Not sure if putting the "planned" in quotes was clear enough. I was alluding to something that is planned under the table by the folks that have to support the system and want it to go away. It's more theater than anything.
                      -AC

                      ----
                      Twitter: @AccidentalCISO
                      Blog: https://www.accidentalciso.net/

                      Comment

                      Working...
                      X