Not many days ago the FBI issued a warning about Windows 7 being end of life, and the risk of legacy systems being attacked by malicious actors. It’s timely but should have been unnecessary. It’s not like people haven’t known this was coming for several years now. After all, Microsoft ended support for Windows 7 back in the middle of January 2020, after making it clear to users, for years, that End of Life was coming, and they’d need to upgrade to Windows 10. At least if they intended to keep their environment secure, or even operational. In fact, Microsoft even had a program to upgrade your Windows 7 system to Windows 10 free of charge.
Why wouldn’t an organization make the switch?
There are a bunch of answers to that question. For example, my own dentist finally upgraded the office systems to Windows 10 after time, budget, and an upgrade path for their medical office suite converged. While I’d like to think my gentle nudges over several years to shift off Windows 7 had some influence, the main reason was a specialized software suite that was slow to update.
I’ve seen similar situations in other places. For example, broadcast media companies that rely on systems built on Windows 7 and can’t be upgraded anymore because the company that built the encoder is gone.
But We Can’t Afford to Upgrade!
My daughter’s school district runs into the other common problem. A lack of budget, personnel, skills, or time, to take systems off-line and perform the upgrade. The student systems are all ChromeBooks, but there are still legacy systems in the office.
Now, with the cases here, the obsolete Windows 7 Operating System is on machines that are restricted to internal facing duty. Since they don’t have internet access, they won’t be targeted by malicious outsiders. But they are still vulnerable to attacks that make it onto the network, which, unfortunately, is something that happens all too often. All it takes is a user to fall for a phishing email or suffer from a web-based drive by, and the bad guys are inside.
These examples are all “best case scenarios,” where the vulnerable system is already isolated. The isolation gives them some protection, but it’s not enough to say, “we’ll just leave this old kit in place.”
There are a lot of cases where the Windows 7 is exposed to the outside world. It’s surprisingly common in schools, particularly elementary and intermediate schools and small school districts, where the IT department is, at best, understaffed and, at worst, completely overwhelmed. With school budgets being what they are, it’s no surprise a lot of them are still running obsolete kits which are painfully in need of an upgrade.
The Bad Guys Don’t Care About Your Budget
Some people have suggested that schools won’t get attacked “because they have no money.” While it is true – they have no money – that provides zero defense against a malware attack. They might not be a primary target, or worth the effort of a focused spear-phishing or cast-netting campaign, but when an attacker can leverage a vulnerable Windows 7 system? Even a low payout is worth the time when the effort is basically nil.
That’s why bad actors will spray phishing and malware campaigns at ordinary people. They know that only a handful of people, out of a couple million, will bite. But when it costs less to target a hundred thousand people than it does to buy an extra-large Latte, why not?
Pay Some Now, Or Pay More Later
Unfortunately, schools and small offices are not the only places that have old, obsolete Windows 7 kits with vulnerable operating systems in place. And lack of budget isn’t the only reason to keep these systems in service. Sometimes it’s a matter of legacy gear that simply has no modern replacement. We see that everywhere from hospitals to automotive repair shops. They have specialized equipment for which there is no obvious replacement, and the original manufacturer has either decided not to upgrade or is no longer around. They’d like to upgrade, but they can’t.
That doesn’t mean these systems can be ignored.
Eventually, your kid’s school will suffer a breach because of an obsolete system, or that 15-year-old music encoder the advertising department depends on will crash for good. In either case, it would be better to deal with the problem before the inevitable happens and you’re forced to scramble to get the grades out on time or keep the station on the air.
Seriously. If you still have unsupported systems in place, the time to upgrade was yesterday. Or maybe last year. Just don’t wait until it’s too late.