More than six months after the end of life of Windows 7, the operating system is still alive and well. In fact, devices are nearly just as prevalent as they were last year.
Windows 7 devices accounted for 15% of all endpoint operating systems in the Forescout Device Cloud as of June. While this is not a comprehensive account of all devices, it represents a significant sample size with more than 12 million unique IT, Internet of Things, and operational technology (OT) devices across every major industry.
As a sign of the operating system's prevalence overall, it was only in January 2019 — four years after it first launched — that Microsoft's most recent operating system Windows 10 surpassed Windows 7 in usage. Microsoft put the end of life into effect January 14, 2020.
This month, the FBI issued a private industry notification warning that it had observed cybercriminals targeting outdated operating systems and recommending that companies update to the most recent versions in order to reduce risk.
"Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered," the FBI warning says. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target, the agency adds.
The end of life of Windows 7 meant that Microsoft would no longer be issuing ongoing security updates for the operating system. While this does not make the operating system more prone to cyberattacks right away, it does mean that it will become inherently less secure over time as patches are not issued for newly found vulnerabilities.
"You can continue to use Windows 7, but once support ends, your PC will become more vulnerable to security risks. Windows will operate but you will stop receiving security and feature updates," Microsoft says in a warning to users about continuing to use the out-of-date operating system. It encourages them to update to the latest version, Windows 10.
The devices still running Windows 7 could be found in companies in nearly every industry, from government to financial to manufacturing, according to the Forescout figures. These devices could include PCs, servers, and a variety of other devices, all of which at this time are unsupported from a cybersecurity perspective by Microsoft.
However, updating many of these devices isn't necessarily as simple as it might sound because there are millions of Windows 7 devices still out there, and the average organization could have hundreds or even thousands of these devices. Organizations will have to first identify which devices are still running the out-of-date operating system, then take the time to update each.
Further complicating that challenge is updating many devices in operational technology or critical infrastructure environments may unintentionally break the functionality of critical software running on that device, or the device itself. The organization may also not be able to tolerate the downtime needed to update the device if it is responsible for a critical function, such as in a healthcare or manufacturing environment.
The continued occurrences of Windows XP, which was made end of life in 2014, illustrates this challenge of moving devices off of legacy operating systems. According to the Forescout data, tens of thousands of devices are still running Windows XP nearly six years after it is no longer supported.
Organizations who have instances of devices that cannot be updated for any of these reasons may want to consider other risk mitigation steps they can take, especially as the amount of time that the operating system has been unsupported grows. In particular, this risk underscores the benefits of a zero-trust architecture, which starts from the assumption that all devices are risky unless proven otherwise.
Implementing zero trust starts with having a deep and comprehensive understanding of all devices on the network and their risk posture, including devices like those running Windows 7 that may have additional risk factors. That context can then be turned into security policies and network segmentation strategies based on a device's individual risk posture. Ideally, an organization can implement this framework across all types of networks, including wired, wireless, cloud, and OT.
The vast majority of devices running Windows have made the upgrade to Windows 10. According to Forescout, 78% of Windows devices are running that most recent operating system, which is consistently updated with security patches. For the remaining Windows 7 devices, organizations should deploy a strategy to identify and secure them.