The Security Risks of Outdated Software
Resistance to Change Can be a Big Gamble
There are always early adopters of technology – using the latest and greatest in their business and personal lives – and late adopters, who would rather let all the kinks get worked out by someone else first. And who needs a huge disruption to their business – to their life – just to upgrade technology that’s working just fine? If it ain’t broke, don’t fix it.
The problem is, with technology, it may be broken in ways you can’t see. You could be gambling your enterprise – your data, your financial resources, your reputation, your security – all while thinking you’re being responsible and avoiding disruption to your business, your employees, and your customers.
The gamble is that using outdated software puts you at an increased risk of having a security breach.
Why? Outdated software is more likely to have flaws that can be exploited by cyber criminals. Those security gaps are more often present in older software that’s no longer maintained, automatically updated, or supported by its maker.
You know how there comes a point with an old car when it’s just not worth repairing? The same thing happens to software – new models come out, and while the developers work to continually “patch” (repair) the old models, at some point, they stop updating their manuals to focus on newer models. Technology companies using that outdated software in their solutions are left no choice when the original developer is no longer issuing patches. It’s time to update to something safer.
Case in Point: Windows XP
Windows XP is so old…how old is it?
According to The Security Advocate, it’s so old, and the fact that it is outdated is so well known, that law firms still running the software can be held liable for any breach of client data, if the breach is found to be the result of the firm using Windows XP.
“It will be difficult to make a straight-faced argument in court that it was reasonable to safeguard client data with well-known outdated software that the software developer very publicly announced would no longer receive any further support or security updates,” writes The Security Advocate.
Imagine your business being legally liable for an attack, perpetrated by someone else, because your operating system is out of date.
Given that car dealers are essentially considered financial institutions, with lots of sensitive data in their systems, would you gamble your business on this? Get off Windows XP.
There was a lot of press on updating from Windows XP last fall when Microsoft announced that they were discontinuing support for the 12-year-old software. It was back in the headlines last spring when a western European country reported that hackers stole $1.32 million from ATM’s. The ATM’s run on Windows XP, which was cited as the reason they were vulnerable to the attack.
Some Windows XP users are using a hack to protect themselves from a hack. Someone has taken security updates issued by Microsoft for other Windows products, and hacked them to supposedly be effective at updating Windows XP. Microsoft warns that these updates were not intended for XP and won't protect users. I don’t know about you, but I don’t think I would trust a random hacker to protecting me from other hackers.
CDK Chief Business Security Officer Jim Foote recently spoke to Automotive News about something called the Bourne-Again Shell (Bash) Shellshock vulnerability.
What is a “shell”?
“Simply put, the shell is a program that takes your commands from the keyboard and gives them to the operating system to perform”, according to LinuxCommand.org. Think of it as the innermost part of your operating system. It’s invisible to the average user, and unfortunately, if a bad guy gets in and exploits your system at the “command level”, that will be invisible to users, too. It won’t be obvious on Windows or whatever operating system you’re using; it also won’t be visible in the applications you’re using.
What is the Shellshock vulnerability?
“Shellshock is an outside attack by remote computers or bots against a target system in which remote commands attempt to penetrate firewalls and other security defenses”, says Jim Foote. “If you’re still running w.e.b.Suite, that’s now over ten years old, it’s time, for security reasons, to upgrade to newer technology.”
Shellshock affects the Unix operating system – a popular system used by CDK, many technologies companies, and the US government.
So if Shellshock is so bad, why can’t you protect against it? In most cases, you can. When alerted to the problem last fall by the government, CDK and other technology companies created patches to protect against this vulnerability. But if you’re using a system that’s running an older version of Unix, no longer being supported by its creator, there is no patch. The solution is to get up-to-date: upgrade from your old operating system to the newer, safer, more secure version.
So don’t gamble everything you’ve worked so hard to build in an attempt to keep your business from having to adapt to newer, safer technology. Playing it safe isn’t playing it safe at all when it comes to using out-of-date unpatched software. You may be better off putting your money in a European ATM.
If you haven’t updated from WindowsXP, tell us why. We’d like to hear from you. Security@cdk.com.