A recent outbreak of cyber-attacks against web commerce sites using Magento 1 underscores the importance of having a security strategy for technology that has reached the end of its life (EOL) or is no longer supported by its vendor.
Adobe announced in September 2018 that support for Magento 1 will expire in June 2020, giving organizations ample time to move to Magento 2 or do other settings for protection of electronic websites trade their. However, this warning did not prevent a number of companies from "sticking" with Magento 1: about 100.000 entities are still using the old version.
The same goes for Windows XP, which Microsoft "gave up" in 2014, but is still used by 30% of computers worldwide, according to Net Applications.
"I call it the tsunami of the past," said Setu Kulkarni, vice president of strategy and business development at WhiteHat Security. "The software or software service (ie API) may reach its end life because the organization no longer invests in it. "But that does not mean that users stop using it."
This does not mean that there are no good reasons to cling to technology that has reached EOL or EOS.
For example, systems and software interaction can push some companies to be discouraged when they move away from technology that has reached EOL.
Construction companies, electricity companies and other infrastructure organizations will continue to use the technology beyond EOL or EOS because it is too expensive. Similarly, health care providers may have EOL-related software on medical devices, such as a very expensive MRI machine that is still three years old but running with Windows XP.
There are other thoughts. If, for example, the product at the end of its life cycle is more up-to-date than the new and less tested products, or if all known vulnerabilities have already been fixed or if the body has adequate mitigation knowledge, then it could be said that the old product is more "safe" than a newer product, where new vulnerabilities are likely to be discovered on a regular basis. future, said Kedgley.
Users may be exposed! "The main problem is staying without security patches," Kedgley said. "The vulnerabilities discovered after the end of their lives will never be fixed, with every hacker knowing where they are."
Renfrow also noted the "very large list of software defects found in products every day" that do not disappear once support is complete. The difference is that developers will not necessarily provide patches. The WannaCry, which reported the use of Microsoft EOL software worldwide, was what Renfrow calls an exception: “Microsoft has released a information code for these software versions that were EOL. This is a rare example of support for EOL software. ”
John Yun, vice president of marketing at AppOmni, said the new technology comes with "new and better features security"without which the organization could not gain a leading position in security," he said. "Failure to take advantage of new opportunities can have dire consequences."
While companies can challenge the whole thing with EOL technologies, hackers pay attention to systems that are on EOL or EOS, so companies need to do the same - and that means making plans.
Justin Kezer, CEO at nVisium, said companies should monitor all their assets with their dependencies. "This is the starting point for us to be able to plan what needs to be replaced or updated and when," he said.
Ideally, they should "plan to move to the 'latest' platforms that are always the safest and best supported," Kedgley said. But if this is not the case then maybe they can do just that - they can do it.