Category: ITSecurity Training

Is your Windows10 version obsolete already?  there are many versions of Windows10 and it depends on when it was released, example – the first one version 1507 released July 2015 has a end of service date of May 9, 2017.

The problem is every software manufacturer  Can’t or doesn’t keep releasing  vulnerability updates forever. The reason has to do with structural and other programmatic changes that would make some updates very difficult to incorporate. In fact in some cases it would be a herculean task to make changes, so it is a monetary and feasibility reason as to why there is and end of service date.

Now that you know that there is an “end” date what needs to be done?

Update to new version of Windows10!!!

Here is the lifecycle table for Windows10 versions from support.microsoft.com webpage

So as an IT user or professional we must learn the technical nature of our devices. Microsoft does not want to issue a version update like in years past:

I.e. version 3.0(1990) with first multi-task abilities, then 3.11 with networking. When 4.0  was due that became WindowsNT and 95.  As the marketing team took control of the naming of new Windows Operating systems the version changes(1.0/2.0/3.0/4.0) were not reflected in the names, only as an additional “version” number.

My version is relatively new (released April 2018), so I have until Nov 2019 until I _have_ to make a change.

Now Microsoft is at Windows10 and with a 4 digit version number.  The actual numbers do not have a significance except that it tells you when it was released and when it will have end of service life only if you look it up in a Microsoft End of Service Table.

There is another reason to keep a close eye on this End of service date, as once the version is obsolete, no more updates will be made and you are out of compliance with your systems.

At the Microsoft End of Service webpage there is an interesting sentence:

“Some editions¹ can defer semi-annual feature updates at Settings  >Windows Update >Advanced options or via a policy that an organization’s management system may provide to the device. On devices that haven’t been configured for deferral, you’ll need to install the latest feature update to help keep your device secure and have it remain supported by Microsoft. New versions may be automatically installed prior to the end-of-service date of the current version on your device.

¹ Home edition does not support the deferral of feature updates and will therefore typically receive a new version of Windows 10 prior to the end-of-service date shown.”

So in theory the windows Update will update the Windows version before it expires and no longer updates on its own. But for those of us in IT that have managed hundreds of systems, not all systems update correctly. You cannot assume all systems will updates on their own.

It is best to have someone review your systems which can be done in an automated fashion by scanning the systems. If an old Operating system is present the scan will reveal a high vulnerability (10 out of 10).

Since the system will not get any more updates, the system has to be initiated to upgrade.

Contact US to help you with this process

So that we are all on the same page -Vulnerability Management is when an IT department manages it’s inventory of devices with regard to what vulnerabilities each device could be at risk for.

So if every system you own has a vulnerability, and you have 1000 systems it could get a bit challenging to manage. Consistently updating all systems for all vulnerabilities is a constant job of testing the patch, and updating the production system at a convenient time to the business.

At cvedetails.com you can review all cve’s (Common Vulnerabilities and Exposures)Each piece of software and hardware can have a potential vulnerability. This is much bigger than you think.

Powershell can give you a list of your programs:

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

From the “How-To Geek” website:

A sample in this image:

The image above has 38 pieces of software(which is likely not comprehensive).   Technically all of these can have a vulnerability(not including Windows and all of it’s subpieces).

So already you can see that 100 systems with at least 40 or 50 pieces can have 4000 to 5000 software versions that may not be the same versions for your network.

This is why there are 109403 vulnerabilities, since a vulnerability for software ABC v1.0 is different from ABC v2.0.

So if this is such a large difficult beast, how can we tame it? Or even fix it?

Actually it is relatively easy to fix by combining Risk management and vulnerability management.

Evaluate all your systems – which system has the most risk and highest impact with failure?

Finding this system should receive most of your focus on testing and updating. And that is just the start, as now the difficult part of figuring what to do with  the other systems, as if you ignore the other systems attackers will come in from that angle.

Contact us to review your systems and set up a risk management matrix for all your systems.

Did you think it would never happen? Microsoft and Linux are increasing in their ties to each other.

So as we protect systems in our networks, we are increasingly incorporating Linux systems for various reasons, Web servers, specific SQL server database needs  or other reasons (file sharing or other support systems).

A potential threat vector to the Microsoft Windows environment/ network could be the Linux machine. Especially if Microsoft Powershell  commands can be run on a Linux machine. Now you can truly have any machine  that is taken over be the breach entry that takes down your network.

How is this possible (viewing Internet Storm Center posts)? By installing a number of software pieces:

1. First install Powershell itself
2. Second install Mono (an open source implementation of Microsoft’s .NET framework)
3. Install OpenXML
4. Now you can run Powershell

This is an interesting development as it means that even a Linux machine can be turned into a sophisticated attack machine into your environment.  Of course we knew that as Kali Linux has specific attack tools. But now we are not using attack tools but Microsoft tools running on Linux.

I want to switch directions a little bit and discuss the problems of directing a company:  By stating “Business Decisions” — “External Pressure”  in a Risk Assessment discussion.

The cybersecurity – world of vulnerabilities is in the space of “External Pressure”, but I wanted to create a picture of the whole world of Risk for a company. And the risks are in Supply Chain,cloud, leadership/labor,change in technologies.  When one sees risk for the company in its totality, the new vulnerabilities risk is much smaller in comparison to the others. especially if the other risks are changes in competitors(Amazon) or changes in environment.

It is only when some news event comes into the fore, like a major breach, then it is obvious that Cybersecurity needs to be reviewed periodically.

Of course if one did that in the first place, then one can focus on the market and technology changes.

This is the problem we computer risk professionals wage, as the CEO/CFO are forever working the major problems for the company, and they rarely see cybersecurity as a major threat – due to much more important problems for the company.

Contact Us to discuss how we can let you focus on more important things, let us do some of the Cybersecurity items.