SoftwareOne logo

7 min to readAsset Management

Why using end of life software is a bad idea

Ravi Bindra
Ravi BindraCISO
Asset Management

Nothing is built to last forever – and this is especially true for enterprise-grade computer hardware and software.

For organizations of all sizes, the idea of upgrading hundreds or even thousands of machines because a provider deemed it necessary is a grim thought. To make matters worse, many organizations are unaware that a simple oversight when updating their applications can lead to errors with catastrophic business implications.

However, keeping programs that have surpassed their End of Life (EOL) is even more hazardous. Running EOL software on enterprise networks is one of the most common vulnerabilities that increases an organization’s data breach risk. For example, although Microsoft warned that Windows 7 would be retired in January 2020, recent research has shown that 17 percent of desktops are still running the operating system as of June 2021. Windows 7 is a much-beloved operating system so it’s not surprising that organizations don’t want to let it go. However, it simply isn’t as secure as its successor. Businesses that failed to adapt paid the price when 98% of the computers impacted by the 2017 WannaCry ransomware attack were running Windows 7.

For that reason, it is imperative that organizations understand how to reduce the security risks EOL software poses and prepare to upgrade solutions that are nearing their EOL date. Let’s take a closer look at why you shouldn’t keep software past its expiration date and outline best practices to prepare for upcoming EOL announcements.

What is End of Life (EOL)?

EOL occurs when a manufacturer decides to stop selling, supporting, and patching their hardware or software. Functionally, the manufacturer no longer considers the software or device “useful” and likely plans to release a newer model. The company may provide some “post-support” warranty, but it often comes with a high price tag. Unless the customer pays the premium, the manufacturer will no longer provide firmware updates, patches, or upgrades.

Although “end of life” includes “end of service” (EOS), they are not the same. Manufacturers often try to encourage customers to buy new products by no longer providing maintenance services or updates after a certain date. If a solution has surpassed its EOS date, the manufacturer might still sell the product but will no longer provide services or support. Then, it’s typically only a matter of time before the EOL date is announced.

Some recent examples of EOL and EOS software include:

  • Skype for Business Online (EOL July 31, 2021) - Microsoft recently announced the start of their EOL program for the integration of Skype for Business with third-party audio conferencing providers.
  • Windows 10 (EOL October 14, 2025) - Microsoft announced it will end support for Windows 10.
  • Skype for Business Server (EOS October 14, 2025) – While Skype for Business Online will be retired as early as 2021, Skype for Business Server stays with an extension date until 2025.
  • Adobe Flash Player (EOL January 2021) - At this time, Adobe does not support Flash Player (ended December 31, 2020) and blocked Flash content from running in Flash Player starting January 12, 2021.

Why EOL software is a major security risk

While you may think you have some time before you need to take action when an EOL date is announced, it’s strongly suggested that you create a plan immediately. For example, when Microsoft announced it was ending support for Windows 7, many organizations struggled to upgrade to Windows 10. As a result, complications arose for those who didn’t prioritize upgrading. This is because EOL software poses various major security threats if left unchecked. When a particular software is retired, manufacturers no longer supply patches, bug fixes, or security upgrades that threat actors use as backdoors into networks and systems. Think about it this way - if your organization is your house, EOL software is the easily evadable, out-of-date security system you put in place 10 years ago.

During the pandemic in 2020, digital transformation was imperative. Organizations everywhere had to figure out how to pivot their transformation strategies and as a result, EOL software often fell off the to-do list. However, identifying and removing any instances of EOL or EOS across the board is the only way to ensure cybercriminals won’t leverage vulnerabilities within retired software. Hackers have become more sophisticated than ever and finding a weak spot in EOL software is easier than one may think. This is exactly why your organization should avoid giving threat actors the opportunity in the first place by discontinuing use of EOL software.

The added risks of running out-of-date software

In addition to security risks, running EOL software poses several other potentially major problems that organizations need to consider. While it might seem most convenient to keep software and hardware until they stop working, understanding all potential risks of doing so can help when doing a cost-benefit analysis. Some risks that companies need to be aware of include:

  • Compliance: Most regulations and industry standards incorporate patch management as a compliance requirement. Regulated industries are obliged to maintain and run only supported and up-to-date software/hardware.
  • Software compatibility: Outdated operating systems may not be able to run newer software.
  • Performance and reliability: Older technology is more likely to run slowly or stop working entirely, leading to lost productivity.
  • Costs: IT teams spend more money and time trying to fix, secure, and maintain EOL technology over time than a new purchase would cost.

Despite these risks, it’s common for organizations to wait until the last possible moment to update their EOL hardware or software. Further, threat actors know the security vulnerabilities that EOL software and devices have, and they will continue to leverage them in attacks. Each day that the manufacturer goes without providing a security patch is another day for malicious actors to find brand new vulnerabilities.

Once a manufacturer announces that one of its products or services is approaching end of life, your business should begin to immediately create a plan for replacing the soon-to-be-legacy technology. Generally, this means:

  • Review current state: Engage in an asset inventory analysis and understand all system dependencies.
  • Research options: Compare different subscription models and replacement choices.
  • Plan strategy: Decide what needs to be replaced first and find any necessary additional upgrades.

How can you strengthen security if your technology is already past the EOL date?

Once a manufacturer no longer supports or sells certain software or hardware, your overall security risk will grow by the day. This means you need to expedite your planning process. However, upgrading your solutions will still take time which means you’ll be at massive risk until your initiative is complete.

To reduce your risk, start by immediately undergoing a penetration test which will help your organization gain visibility into whether its security controls were effective or whether it needs to enhance its security posture. Then, you can provide temporary fixes for these security vulnerabilities while you work to upgrade your larger estate.

How SoftwareOne can help

As the old adage goes, an ounce of prevention is worth a pound of cure. At SoftwareOne, we know that creating and nurturing a mature Software Lifecycle Management (SLM) strategy will help you intuitively understand the best way to manage contracts and costs, mitigate risks, and fine-tune your governance processes. This will allow you to act quickly the moment EOL is announced, and even anticipate it ahead of time.

However, if it’s a little too late for that, don’t hesitate to undergo penetration testing. We offer Vulnerability Assessments and Penetration Testing that are designed to provide your team with an in-depth analysis of discovered vulnerabilities across internal and external networks. This, in turn, helps mitigate the risks associated with your current EOL software.

Whether you need to take a proactive or reactive approach, SoftwareOne’s experts will be standing by to assist every step of the way.

Final thoughts

You might feel blindsided and overwhelmed by an EOL announcement as it likely requires your organization to completely reorient its entire software estate. However, don’t delay in making a plan as soon as you hear the announcement. Proactive action will help you create a clear path forward to ensure ongoing security, compliance, and performance. And when you stay ahead of EOL dates, your entire organization will benefit.

An image of a blue and red light coming out of a box.

Never miss an EOL date with SoftwareOne

With SoftwareOne by your side, you can identify and rectify the weaknesses involved with using EOL software before they’re ever used against you. Find out how we can help you today.

Never miss an EOL date with SoftwareOne

With SoftwareOne by your side, you can identify and rectify the weaknesses involved with using EOL software before they’re ever used against you. Find out how we can help you today.

Author

Ravi Bindra

Ravi Bindra
CISO

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.