Nearly three quarters of businesses have end-of-support devices on their networks, according to new research. These statistics don’t surprise us. It’s a common phenomenon among our customers. But what does ‘end-of-support’ actually mean? When does it start becoming a serious security problem that needs address, and what can you do about it?
End-of-sale vs end-of-support
First, it’s important to understand the difference between end-of-sale and end-of-support. End-of-sale hardware and software is simply no longer available to new customers. However, the vendor is still servicing and supporting these devices and applications and will provide patches and upgrades as required. As such, using end-of-sale products carries no more security and business continuity risks than using recently released hardware and software. Indeed, if you replaced everything as soon as it reached end-of-sale, you would end up wasting a great deal of time and money.
However, one thing to remember for end-of-sale hardware devices such as network routers or switches, is that there may come a point where replacement parts are no longer available from the vendor. If, for example, the power supply in your router burns out and you can’t buy a new one, you may be at risk. But this is a manageable problem – you can often find second-hand parts or if necessary, ‘cannibalize’ other devices.
However, end-of-support, whether it’s called end-of-software or end-of-engineering support, means that the vendor is no longer releasing patches and upgrades, and will no longer provide expert help when something goes wrong. And this is a big problem.
For example, let’s suppose that you suffer a data breach because a cybercriminal manages to exploit a vulnerability in a key network device. The vendor is no longer supporting the software on that device, and you can’t patch it on your own. Where do you go from there? This is the point at which operating old hardware and software stops being reasonable and starts being extremely risky.
And this isn’t just an issue with the smaller vendor products. It’s a problem that also applies to the biggest, most trustworthy vendors out there – because as hardware or software gets old, no matter how powerful and robust it was to begin with, there is simply a higher and higher chance of it being vulnerable to being exploited by new threats. See, for example, our blog on malicious code embedded in older versions of Juniper devices.
Out of support, not out of mind
Many of the reasons for continuing to run out-of-support hardware and software are very understandable. Organizations that have invested a great deal of time and money in hardware and software, want to use it for as long as possible. Migrating to a new device or application – even from the same vendor – can be difficult and have knock-on effects on business operations, if the configurations of the two versions are slightly different.
On the other hand, most industry regulations require you to use up-to-date software and hardware, particularly on security-related equipment. And while failing an internal audit might be uncomfortable, failing an externally-facing compliance mandate can be much more problematic. Regulators have good reason to demand that you upgrade to the latest supported versions – they are indeed safer.
Tracking the support status of versions of devices and software across large enterprise networks is extremely difficult to manage manually. Vendors do not have a uniform format, or any kind of standard reporting structure for keeping customers updated as to what is running out of support – they don’t even agree on a universal terminology! So it’s important to integrate and automate this process as part of your network security policy management workflow – such an integration can solve major headaches for IT and security teams.
With all this in mind, AlgoSec scans for and identifies out-of-support software versions on network security devices. For all of the vendors’ solutions we support, we flag out-of-support software as risks, and we update the cut-off dates whenever we issue a new version of our solution. Thus, AlgoSec customers can plan upgrades, or replacement procedures, and execute them smoothly. This is more efficient, more cost-effective – and far less likely to impact on your security and compliance postures.
Receive notifications of new posts by email.