Skip to main content
Tag

Microsoft End of Life

The U.S. Government’s Patch Management Problem

By BlogNo Comments

The U.S. Government’s Patch Management Problem

Businesses are not the only ones experiencing the constant threat of data breaches. The U.S. government has its own fair share of patch management problems.
[vc_empty_space]
[vc_single_image image=”34921″ img_size=”full”]

The Ponemon Institute’s 2018 study of enterprise security and vulnerability found that 57 percent of the organizations queried claimed a data breach had occurred in the past two years because of their failure to apply an available patch they didn’t know about. Even worse, another 34 percent said they knew they were vulnerable and that a patch was available—but they didn’t apply it.

As it turns out, it appears that business enterprises are not the only ones remiss. From all accounts, the U.S. government has its own patch management issues. The continued presence of open-source software in the public sector plays a significant role here, as does the fact that numerous governmental agencies at all levels are hamstrung by legacy IT infrastructure.

The vulnerability time-bomb

According to NextGov, it usually takes about three days for word of a software program’s significant flaws to reach the community of malicious online actors—and for those hackers to figure out how to take advantage of these vulnerabilities.

For a government agency, three days isn’t much time, considering the red tape and bureaucracy that lies between knowledge and action. The reality is, if agency security staffs aren’t working fast enough in their search to find and quarantine or eradicate the flaw, chances are high that the bad guys can do some damage.

Security holes in government departments

Worse, it turns out that federal agencies—including the Departments of Defense, Treasury, and Justice, as well as the Nuclear Regulatory Commission and the Office of Personnel Management—are aware, at least to some extent, of existing security flaws.

Scorecards mandated by the Federal IT Acquisition Reform Act indicating agencies’ levels of cybersecurity and general tech capabilities have shown dismal grades in recent years: Most agencies scored F, F+ or D for multiple metrics on their two 2018 evaluations. The DoD, whose responsibilities include handling some of the most sensitive information in the whole government ecosystem, fares particularly poorly in such assessments, as its own Inspector General’s office confirmed in a December 2018 report.

Bob Metzger, an attorney with the government cybersecurity-focused law firm RJO, said in an interview with NextGov that patch management is a specific part of this problem. Agencies don’t necessarily have any clear process for assessing and patching software. Furthermore, department officials’ knowledge gaps regarding their own technology effectively handicaps any patch management measures they do have.

“I would be very surprised if even a small percentage of federal agencies today had a usable inventory of the open-source components in the software that they rely upon for their critical agency functions,” Metzger explained.

Dealing with open-source concerns

In other words, programs built with at least some open-source components—whether based in long-established languages such as Java or newer code such as Python—are everywhere in the global IT ecosystem, including the U.S. government. It’s unrealistic for any such agency—or, for that matter, any private-sector organization—to completely eradicate the use of such code. It is equally impossible, of course, to ignore the security risks it can pose.

According to Sonatype’s 2019 State of the Software Supply Chain report, 25 percent of all public- and private-sector developers said they underwent a breach caused by flaws in open-source components during 2018. The study also found that such breaches rose in frequency by 75 percent between 2014 and 2018.

What this all points to is simple: Any government agency or business looking to establish reasonable control over risk associated with open-source software and code must set up a patch management strategy immediately. It should include update support, not only for standards such as Microsoft Windows and Apple iOS, but also platforms from third-party software vendors and open-source developers—everything from Chrome, Linux, Java, and Python to individual programs such as Firefox, VLC, Adobe Flash and many more.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||”]
|||

Microsoft Warns that End-of-Life is Near for 1703

By NewsNo Comments

Microsoft Warns that End-of-Life is Near for 1703

Microsoft is reminding enterprise admins that Windows 10, version 1703 of Enterprise and Education editions, is reaching end-of-life on October 9, 2019.
[vc_empty_space]
[vc_single_image image=”33745″ img_size=”full”]

Say Farewell to Patches for 1703 in October

Microsoft is reminding enterprise admins that Windows 10, version 1703 of Enterprise and Education editions, is reaching end-of-life on October 9, 2019.

This means that the version will be fully unsupported and will no longer receive new monthly security or quality updates. The consumer versions (Home, Pro, Pro for Workstations, and IoT Core editions) have already reached end-of-life last year on October 8, 2018, and haven’t been receiving updates since.

[vc_single_image image=”33747″ img_size=”full” alignment=”center”]

Tweet from Microsoft about the end-of-life for 1703

Microsoft’s warning is, of course, no surprise. The 1703 version, the “Creators Update” was released back in early 2017 and originally had 18-month support; however, last September Microsoft extended their servicing period to 30 months for the 1703 Enterprise and Education editions.

“There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats,” Microsoft warned.

While Windows 10 has received a fixed deadline, Microsoft has also been crafting its offer of paid Windows 7 patches to enterprise customers still running the older operating system, after it also ends support on January 14th, 2020.

Enterprise Agreement (EA) and Enterprise Subscription Agreement (EAS) customers with active subscriptions to Windows 10 E5, Microsoft 365 E5, and Microsoft 365 E5 Security can opt-in for ‘Windows 7 Extended Security Updates’ for a year at no additional charge. The promotion will run from June 1, 2019, to December 31, 2019.

What should you do next?

Even though Microsoft has announced that it would offer continued security updates to businesses for the maturing operating system, the free updates will definitely cease after January 14th, 2020.

For those who are still on Windows 10, version 1703, and need to migrate: move to a newer and supported feature update version, such as 1809, 1903, or even 19H2 (to be released in September or October of this year). Always double-check the endpoint capabilities and whether or not it can support the latest, supported versions of Windows 10. For more information on Windows 10 pre-requisites, you can always check with Microsoft’s requirements.

Whether you’re a consumer with an outdated version of Windows 10 or Windows 7, or an enterprise admin nearing, or even past, end-of-life Windows 10 versions, any unsupported version of Windows has potential to be attacked and exploited through the use of malware or even ransomware.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||”]