In the wake of the Paris attacks, a computer glitch that brought Orly airport to a hault may have intially seemed like the work of cyberterrorists. But in fact, in was a glitch in an air traffic control system that is still running on Windows 3.1 – an operating system from 1992.
Lest you think the French are alone, a similar incident closed airspace in London last December when a computer failure was blamed on 50 year old software. And when Microsoft stopped supporting Windows XP this past April, it was estimated that over 500 million XP systems were still in active use, making them a prime target for zero-day exploits as security patches are no longer updated. Despite U.S. compliance requirements for healthcare and retail to eliminate unsupported operating systems, they are regularly found in our audits running Point-of-Sale terminals and medical testing equipment.
The IT landscape is full of outdated software, and many organizations do not conduct regular software audits to confirm what is on their networks, or have a process in place for replacement or retirement of software that is no longer supported and is ripe for exploitation in cyberattacks.
Keeping your software up-to-date is a critical component of your overall cyber strategy. An estimated 70-80% of malware can be prevented with up-to-date software. So why aren’t organizations more proactive about this? In some cases it’s a shortage of resources, whether human or financial, to address the issue. In other cases, it’s a lack of awareness of what is running or the dangers of leaving unpatched systems on the network.
If you have older operating systems, or suspect you do, create and maintain an inventory of all production systems, including OS types, standardize as much as possible to make maintaining versions easier, and use compensating controls such as segregation, firewalls and system hardening to help protect your network from vulnerabilities found in older operating systems. Your cyber strategy is only as strong as the weakest component!