search menu icon-carat-right cmu-wordmark

Upgrade, Retire, or Replace Unsupported Software (Part 4 of 7: Mitigating Risks of Unsupported Operating Systems)

Katie C. Stewart

In line with its risk management program, an organization might decide to host unsupported applications on its supported or unsupported operating systems. In this post, I describe how organizations should upgrade, replace, or retire unsupported software assets, including operating systems.

Unsupported operating systems can expose your network to attack. This blog series outlines five actions your organization can take now, including defining risk tolerance; using software inventory management; upgrading, retiring, or replacing software; implementing whitelists; and establishing long-term software maintenance policies. These actions ensure your organization's cybersecurity.

To reduce its exposure to cyber attack, it is critical for the organization to manage its unsupported software assets. If a software asset is identified as "no longer supported by the vendor" (i.e., the vendor no longer releases security updates), the software asset manager should remove it from the network or place it in a sandbox, limiting its exposure to critical assets and minimizing the risk of attack.

Removing an entire operating system has broader implications than isolating individual software assets. In most cases, the operating system will need to be upgraded or replaced completely, which affects the applications that rely on it. Your organization should closely monitor these actions--upgrading, replacing, or retiring--to ensure they remain in line with the organization's risk management plan.

What You Can Do

  1. Remove and isolate unsupported software from your organization's network.
  2. Upgrade, retire, or replace unsupported software assets.
  3. Closely monitor software activities to ensure they align with your organization's risk management plan.

Check back next week to read about establishing and maintaining whitelists, or subscribe to a feed of the Insider Threat Blog to be alerted when a new post is available.