Stuck with Windows 7? Here’s a security game plan
Last week, Microsoft’s Windows 7, once the go-to operating system of nearly 60 percent of all computers, reached the company’s designated end of the road for security patches. Like Windows XP before in 2014, if you have a Windows 7 computer, it’s long past time for you to shell out some cash for a new one. But what can you do to protect your digital resources, if you aren’t in a position to do so?
For organizations as large as hospitals running million-dollar MRI machines to tiny nonprofit organizations without the resources to invest in new computers, the end of security support for Windows 7 represents a serious cybersecurity quandary. Although Windows 10 represented 50 percent of the personal-computer market last September and is now approaching 55 percent, its predecessor still claims more than 26 percent of the market.
Microsoft said in a statement that after supporting the operating system for 10 years, the company is moving on.
Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. This 10-year period has now ended, and Microsoft has discontinued Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences. The specific end-of-support day for Windows 7 was January 14, 2020. Technical assistance and software updates from Windows Update that help protect your PC are no longer available for the product. Microsoft strongly recommends that you move to Windows 10 to avoid a situation where you need service or support that is no longer available.
It’s not entirely clear how Microsoft will address critical vulnerabilities for Windows 7. When WannaCry struck computers around the world in 2017, Microsoft released a free security patch for Windows XP computers, even though it had been years since Microsoft had released any kind of update for its 15-year-old operating system.
READ MORE ON MICROSOFT AND SECURITY
Backing WebAuthn, tech giants inch closer to killing passwords
How to attack security issues like Google and Microsoft just did
Big tech supports Cloud Act, giving police easier access to overseas data
20 years on, L0pht hackers return to D.C. with dire warnings
Microsoft also now offers some organizations the option to pay for some cybersecurity breathing room. IT professionals might be able to convince their organizations to pay for Microsoft’s Windows 7 Extended Security Updates. The subscription service will continue to provide security patches for the next three years, and could run as high as $350 per computer for the full 36-month period.
Such a service isn’t going to work for health-critical medical devices that can’t be replaced every time the operating system expires, or for payment terminals run by organizations lacking the funds to upgrade, says Bob Rudis, chief data scientist at Rapid7, a cybersecurity research and analytics provider.
“Windows 7 is going to be the new XP.”—Bob Rudis, chief data scientist, Rapid7
“Windows 7 is going to be the new XP,” he says. “I don’t have a lot of sympathy for enterprises. Enterprises have had a lot of time to plan what their next step should be. Even small to medium businesses should have been budgeting to replace Windows 7. But I’m real concerned with nonprofits like hospitals that have to spend a lot to upgrade equipment, or airports, or individuals who can’t.”
Ken Munro, a consultant at the security research company Pen Test Partners, advises those who can’t or haven’t yet upgraded their systems to isolate their Windows 7 devices from the rest of their computer network.
“Block it off, put it on a separate network, implement access controls,” he says. Encrypting disk drives and preventing end users from having administrator rights on Windows 7 computers is key, he adds.
For people who have no control over which computer they use, such as a business- or government-mandated employee, Rudis cautions against using a Windows 7 computer for anything other than its intended purpose.
“I would treat that system as an untrustworthy system for anything outside what I’m supposed to be doing for work on that system. Do not access your home email, personal health records, or banking, and I would hesitate to use any part of the Internet from Windows 7 machines,” he warns.
The irony of the Windows 7 security dilemma, as with XP before it, is that experts say Microsoft has gotten significantly better at building secure operating systems over the past decade. Windows 10 is “a safer system by default,” Rudis says. “I have never been more optimistic about Microsoft’s ability to protect their users.”
For now, the burden lies with those who invested in Windows 7 and never upgraded. As somebody who spends time analyzing computer networks for security flaws and weaknesses where malicious hackers can get through, Munro worries that only those who know enough to be concerned about Windows 7 are the ones doing anything about it.
“The problem I have is that I’m dealing with the segment of the market that is forward-thinking and trying to upgrade. But the ones you find out about [who have suffered hacks] are the ones that haven’t been locked down.”