Managing the risks of obsolete software platforms
According to guidance from the National Cyber Security Centre (NCSC) the risks of using obsolete software are significant and result from two compounding factors:
- Absence of security updates increases the likelihood that exploitable vulnerabilities will become known by attackers
- Latest security controls and protections are absent in older software, increasing the impact of vulnerabilities, making exploits more likely and making detection more difficult
Over time, new vulnerabilities in obsolete software are discovered that can be exploited by relatively low-skilled attackers. Products such as antivirus offer even less protection than achieved on up to date systems, as signatures are typically not tuned to detect attacks targeted at obsolete systems.
As high-impact security incidents become more likely to occur, the results can be catastrophic, effecting an entire organisation. Timely response to security critical events therefore becomes increasingly important if obsolete software is present, to reduce any compromise spreading. This can place significant demands on already overstretched security teams.
NCSC recommend therefore that obsolete systems should be treated as untrusted, as should processed data and files sourced from the Internet, even if originating from a known third party.