As of January 14, 2020, Microsoft ended its official support of the Windows 7 operating system, leaving an estimated 200 million PC users vulnerable to potential attacks if they have not upgraded to Windows 10. Schellman & Co PCI technical lead and manager Kate Donofrio recently spoke with TechNewsWorld on the risks consumers and businesses are now facing. Read the full article below, or in its entirety on the TechNewsWorld website.
By Jack M. Germain
After 10 years of fully supporting Windows 7, Microsoft ended its official support for the out-of-date Windows operating system on Tuesday.
The popular classic Windows 7 OS still runs on some 200 million PCs around the globe, according to industry estimates. Users include small business owners, some larger companies, and hordes of consumers holding onto aging personal computers.
Microsoft committed to providing 10 years of product support when it released Windows 7 in 2009. The company's focus now is on supporting technologies that provide new user experiences, it said.
Microsoft has recommended that Windows 7 users move to Windows 10 prior to the end of support. Those that failed to heed the company's warning will become part of a very large attack vector for hackers, malware, viruses, and spyware.
"This end-of-life date is well known to hackers, and they are armed and ready to exploit."
"This end-of-life date is well known to hackers, and they are armed and ready to exploit," said Kate Donofrio, payment card industry technical lead and manager of Schellman & Company.
Windows 7 Pro and Enterprise users can purchase extended security update support for three years from Microsoft. Windows 7 Home editions and Ultimate editions are not eligible for extended support, she told TechNewsWorld.
"Much like mobile devices using the Windows Mobile or Windows CE operating system, a PC/laptop/terminal using Windows 7 will not just stop working the day that the OS end of life begins," noted Brian Harvey, lead systems engineer at Barcoding.
However, the end of support does mean users no longer will get support, security updates or bug fixes for Windows 7, he told TechNewsWorld. Continuing to use Windows 7 can put your data -- and potentially your customers' data -- at risk.
Must Do Something
PCs running Windows 7 probably will not become victims of attacks overnight, but the risk is not IF but WHEN malware, spyware, or viruses will find an opening into any particular unprotected computer.
Of course, Microsoft wants lingering Windows 7 users to upgrade to Microsoft 10. For those with computers no older than four years, a software upgrade can be applied. For older computers, a new purchase is the easiest and fastest way to avoid security risks and issues related to loss of support for Windows 7.
Purchasing a new PC will not be necessary if your existing system meets a baseline configuration, said Banish Angural, owner of Social Media Fellow.
That baseline configuration includes a 1 gigahertz (GHz) or faster processor or SoC (System on Chip) with at least 1 gigabyte RAM for 32-bit or 2 GB RAM for 64-bit computers, he told TechNewsWorld. The system should have 16 GB of hard drive space for the 32-bit OS version and 20 GB of storage space for the 64-bit OS version. Also needed is a DirectX 9 or later graphics card with WDDM 1.0 driver and a screen display capable of 800x600 pixels.
If the hardware is not compatible with Windows 10, another option is to repurpose the older hardware by installing a Linux distribution as an alternative to Windows 7, Barcodings's Harvey suggested.
The Linux operating system offers distribution options targeting Windows users and enterprise operations. The cost to download a complete Linux OS is free, and many Linux OS developers offer paid support options similar to what is available for Microsoft Windows 10.
Thousands of software applications that run on Linux also are free to download. Tools such as WINE let users run must-have Windows programs on the Linux platform.
Upgrade for Free
Upgrading to Windows 10 is the most convenient step for users who want to continue using Windows on their computers, said Kenny Trinh, managing editor of Netbooknews. The upgrade process is very easy, and you get to keep all your files in most cases.
That solution has two hurdles, though, he told TechNewsWorld. Your device has to meet the spec requirements to be able to run Windows 10, and you have to buy a Windows 10 license, which costs US$119.
For those whose specs aren't adequate or who don't want to shell out for a license, "installing a Linux OS is your best bet," Trinh said. "Linux is free to use, so you won't have to shell out a dime to use it. Plus, a number of Linux distros are specifically designed to run on older computers, so hardware won't be a concern."
Early on, Microsoft provided free upgrades to Windows 10. All you needed was a computer running an earlier version of Microsoft Windows and a product code number to qualify. That free offer officially ended a few years ago. However, it's still possible to get a free Windows 10 upgrade using the Windows Media Creation Tool.
This upgrade isn't meant for the general consumer, but it works for many nonetheless. First, you must download the upgrade on the computer still running Windows 7, 8 or 8.1.
Second, go to the Microsoft page to download the Windows Media Creation Tool. On that page, select the option to upgrade. Then enter your Windows 7 or Windows 8 license key.
If you have a Windows 7 or 8 Home license, you can update only to the Windows 10 Home version. With a Windows 7 or Windows 8 Pro product key, you can update only to Windows 10 Pro. The free upgrade is not available for Windows Enterprise.
What's the Risk?
The main reason to stop using Windows 7 is the security risk. That risk may be minor in the short term, but the longer you use the now-unprotected Windows 7, the higher your chances grow for trouble.
Microsoft will not provide security updates or fixes. You also will not get technical support for any issues. This leaves your computer at greater risk of being hit with viruses and worse.
Zero-day attacks get a lot of attention. The majority of vulnerabilities that get exploited by hackers are well known and have patches readily available to fix them, noted Kevin Landt, vice president of product management at Cygilant.
These patches no longer will be freely available, and hackers will be developing and sharing exploits, he told TechNewsWorld.
"I believe the hardest hit with the end of extended support will be the home consumer users and business owners not keeping up with current threats."
"I believe the hardest hit with the end of extended support will be the home consumer users and business owners not keeping up with current threats," Schellman & Company's Donofrio said.
Those who cannot afford to upgrade their systems or buy new systems to replace old Windows 7 systems will be at the highest risk, she warned. There is also a chance, even with Microsoft popping up warnings on end-user systems, that some consumers will not understand what all of this entails or take the threat seriously.
"These will also be the types of users who will not understand techniques to try and mitigate risks when new vulnerabilities are found and likely a high target for attackers," Donofrio added.
Outdated systems are major targets for attackers who are well aware of the upcoming end of support dates, she noted. That is especially the case for an operating system like Windows 7, which has large mainstream use by both businesses and consumer home users.
You can purchase a Windows 10 upgrade if you want to start with a fresh installation. On the Microsoft download page, download a disc image (ISO file) that can be used to install or reinstall Windows 10. The image also can be used to create installation media using a USB flash drive or DVD.
What Else to Do
If you are unable to upgrade or purchase extended security updates for Windows 7, you should take steps to reduce the attack surface of these systems. For example, disable all ports and protocols except those required for business reasons, suggested Cygilant's Landt.
"If possible, isolate the servers on separate network segments from those that have direct access to the Internet. The remaining risks should be documented and given a priority level for future remediation," he said.
Microsoft gave plenty of notice about the impending end of support, said Satnam Narang, senior research engineer at Tenable.
Larger businesses likely have the infrastructure to migrate their systems, but smaller organizations may not have the necessary resources to prepare for the switch, he told TechNewsWorld, so those companies should take the following measures to protect themselves:
- Rely on endpoint detection and antivirus software to detect known threats;
- Implement email protection, as threats can often come in the form of emails and can slip through the cracks of email filters; and
- Enforce security awareness training for all employees.
Isolation and Layer Are Key
To the maximum extent possible, those continuing to use Windows 7 should try to isolate or segment the machines with the unsupported (outdated) software or OS. This obviously can be a challenge in many cases, given that if an organization has a requirement to keep using the unsupported software or OS, then that would imply some level of criticality to that device, observed Troy Gill, manager of security research at AppRiver.
"So naturally, there may be limitations on just how isolated it can be while still performing its critical role. Always practice least privilege. And in a case like this, the importance of least privilege is amplified," he told TechNewsWorld.
Another way of bolstering Windows 7 from outside attacks is to take a defense-in-depth approach by adding security layers to help reduce risk with the unsupported system, Gill added. This should include the use of both network and personal firewalls, as well as placing the high-risk devices behind added hardware such as IPS.
Another consideration is to make sure you have uninstalled all unnecessary software and disabled unneeded services on these devices. This is always a best practice, but it can become even more important on a system relying on an unsupported OS or other outdated software, he said.
Business Risks Intensify
Even if you or your company no longer run Windows 7, businesses and others who still use the obsolete operating system could endanger your privacy. Consumers need to practice safe computing even if they run Windows 10, macOS or the Linux OS.
Organizations that continue running Windows 7 not only put their company and staff data at risk, but also that of their suppliers, partners and customers, because security patches no longer will be available, said Ken Galvin, senior product manager at Quest Software.
"Many businesses are still running Windows 7 because they have been slow to act, hadn't seen it as a priority, or thought of it as too much of a daunting challenge to upgrade all their systems. Daunting as it may be, we are now at the stage where the best option is to upgrade," he told TechNewsWorld.
However, if businesses cannot and have made arrangements with Microsoft to pay for continued Windows 7 patching support, it is critical that they make sure their patch management system will be able to apply them, Galvin added.
"It is not an impossible task, however. IT teams can and should be taking advantage of automation tools to assist with the migration and invest in ongoing endpoint management to make sure that these systems are continually up to date without the team needing to break their backs," he said. "Businesses should prioritize gaining visibility over all their systems so they can be 100 percent sure that each one is secure."
No Recourse, No Safety
The obvious risk is that Windows 7 systems no longer will receive patches from Microsoft. That means if a new vulnerability is discovered in Windows 7, all Windows 7 systems will be at risk for exploitation from malicious attackers, warned Mehul Revankar, director of product management at SaltStack.
"Going forward, Windows 7 systems will become ripe targets for attackers to exploit..."
"Going forward, Windows 7 systems will become ripe targets for attackers to exploit," he told TechNewsWorld. "When the next major Windows 7 vulnerability strikes, these would be the systems attackers would go after first, own them very quickly, and cause business disruption."
So, what should Windows 7 users do? Get an accurate inventory of all their assets and identify all Windows 7 systems in their organization, suggested Revanker.
They also should stop procrastinating and take action. Upgrade those assets to Windows 10 or later.
"If you can't upgrade for one reason or another, get them off the Internet at the very least, and add mitigating controls so that only authorized users have access to them," Revanker said. "The most likely problem is that systems will not be updated or will be slow to update -- and the longer the wait, the higher the risk that this results in a costly attack."
A Ray of Hope, Perhaps
Windows 7 will keep working come Jan. 15. Nothing will change overnight, said Chris Morales, head of security analytics at Vectra.
"It is true that Windows 7 will be more vulnerable to attack. That is the expectation. But I don't think the actual impact will be catastrophic," he told TechNewsWorld.
For home users who want to cling onto Windows 7 for whatever reasons, many of the potential problems could be mitigated using other tools and methods, like VPN, encryption, security software, and a good secure home router, Morales noted.
Many enterprises simply will sign up for Windows 7 Extended Security Updates for the next three years of coverage, which will protect against anything deemed critical or important.
"Not much will change in the attack landscape for enterprises with the Windows 7 Extended Security Updates. Most major apps like Google Chrome browser will also continue to be supported with updates for all users," said Morales.
For everyone else, an update to Windows 10 or a move to another supported OS should already have happened, he added. An unsupported operating system never should be used for public-facing Internet use, like browsing the Web or handling email, he added. It is bad practice.
A Common Problem
Thomas G. Plante, professor of psychology at Santa Clara University, has been concerned about loss of support for Windows 7 on his own laptop.
Long story short, the university's IT department recommended that he invest in a new computer with Windows 10, he told TechNewsWorld.
"That seems crazy from my point of view, as my computer is only 5-1/2 years old and works fine -- but that is what IT here suggests," Plante said.
Like many users, Plante relies on his employer's IT department for help. The university's IT staff claims that the hassles involved in upgrading make getting a new computer a better and more cost-effective option.
"Plus, the university will only service computers that are four years old or less to boot," he lamented. "Seems nutty but hey... ."
About the AuthorMore Content by Kate Donofrio