Don’t forget to install security patches and factor in end-of-life planning.
End-of-life issues arise when assets are no longer supported. Vendors commit to sending regular updates to fix security flaws until the promised period ends – after that, organizations can continue using the version, but there will be no further fixes for vulnerabilities or performance issues. So when companies adopt servers or software, they must also factor in an eventual transition period.
Issues are also common after acquisitions and mergers, when hardware limitations may prevent using the latest software on acquired technology. There is a tendency in such situations to just leave what’s working as it is, even if the software is old and vulnerable. This should be a sign that new hardware needs to be purchased, or a migration is needed towards a different provider. When neither is possible, the recommendation is to at least have older versions isolated in a separate environment with security to reduce exposure, ensuring a threat actor can’t just jump to other systems.
Occasionally, vendors will provide post-end-of-life security updates, as Microsoft did for Wannacry. These are rare but very urgent, and generally signal scenarios where millions of devices are at risk of major catastrophe. Never count on getting post-end-of -life security updates, but if you do receive one, take it very seriously.
Occasionally, vendors will provide post-end-of-life security updates, as Microsoft did for Wannacry. These are rare but very urgent, and generally signal scenarios where millions of devices are at risk of major catastrophe. Never count on getting post-end-of -life security updates, but if you do receive one, take it very seriously.
