Cybersecurity in Review: The Alarming Trend of Unsupported Systems
Quick question: when is it ok to run a networked system without updates?
If the answer takes more than 1 second and is anything other than “never,” we need to talk.
Imagine this: a major corporation crippled overnight by a cyberattack, all because of one overlooked detail – outdated systems. This isn’t a hypothetical scenario; it’s a reality faced by numerous organizations in recent years. Keeping systems up to date isn’t just good practice; it’s a necessity for survival. At TuxCare, we’ve dug deep into this issue in our 2023 Year-in-Review report.
One piece of data stood out like a sore thumb.
Context
Roughly 40% of respondents told us they are using CentOS (the most widely used distribution in the Enterprise), and still ahead of alternatives like AlmaLinux, Rocky, and friends.
That was not the surprising part. CentOS is a robust distribution with a well established deployed base (anecdotal evidence placed it as the most widely used operating system for the world wide web a few years ago).
Then, we asked which version(s), and here is where things get interesting. CentOS 7 (48,38%) was the most widely used, followed by CentOS 8 (27,41%), and very close after CentOS 6 (with 24,19%). Now consider that, of the three, CentOS 6 and 8 have been out of official support — ie, past end of life (EOL) – for years, and CentOS 7 is going the same route this coming summer.
A snapshot of our findings:
- CentOS Usage: 40% of respondents use CentOS, more than Stream, AlmaLinux, Rocky, and others.
- Version Distribution:
- CentOS 7: 48.38% (Will go EOL – June 2024)
- CentOS 8: 27.41% (Already EOL – December 2021)
- CentOS 6: 24.19% (Already EOL – November 2020)
- Post-EOL Usage: 22.22% of CentOS 6 and 7.69% of CentOS 8 users are running these versions without any support. Over 9% plan to continue using CentOS 7 unsupported post EOL.
Now, you can rightly say that there are third-party support options available (for example, TuxCare’s) to continue running those systems and still receive security updates, but we wanted to make sure that was actually what was happening.
Of the ones who answered CentOS 6, 22,22% admit to continue running it without support. For CentOS 8, that figure is 7,69%. And over 9% admit they will run CentOS 7, post EOL, without support.
If that doesn’t make your alarm bells go off, you’ve not been paying attention.
A Ticking Clock
Let’s get this out of the way here, so that there isn’t any doubt about where I’m going with this: “there is no way to run a system without updates and still consider your environment secure.” You can quote me on that.
So it’s fair to say that the organizations accepting this risk are hedging their bets on the very dangerous assumption that “it won’t happen to me” (hint: it will; your organization is not special in that regard) or “we’re not important enough to be targeted” (this doesn’t matter one iota – it’s a numbers game for threat actors).
Additionally, those organizations, and those systems specifically, are a risk not only for the infrastructure they are part of, but also for everyone else online. If nothing else, botnets depend on finding and exploiting vulnerable systems to grow, and thus create a bigger problem for others too.
That’s Just Marketing
Since EOL, CentOS 6 has been affected by over 2100 vulnerabilities. Almost 2000 for CentOS 8. We have a live counter here for the ones patched by TuxCare. To believe that your systems are still that, yours, in the current cybersecurity landscape, is probably wishful thinking.
There are countless reasons why you’re locked in EOL operating systems. Anything from a lack of resources to perform the migration or upgrade, to lacking hardware support on newer distributions, and even to unmaintained code bases powering the workload running on those systems… the list goes on. But, at some point, the mindset has to change – the risk exposure is only getting worse while the perceived benefit of avoiding the hassle of doing the migration (and it is a hassle!) isn’t really a benefit at all.
Extended support offerings not only help mitigate the problem, they will buy you time. It’s one of the few situations where you can get more time, at will, to solve a given problem. And it makes your environment safer, and everyone else’s too, as an added benefit.
Friends don’t let friends run unpatched systems.
You can find more information in the full report, including some interesting correlations between difficulties faced and risk awareness – it seems like we only start to realize the problem when we’re facing concrete situations.
The full report will be available in the coming days through the TuxCare website