By Jonathan Yarden
Some of my coworkers accuse me of being eccentric, but I think you can often gauge the level of security competency within a company by checking out the hardware and software in its data center. It's not a scientific fact, but it's my experience that the more a company clings to older hardware and software, the less likely it understands the importance of Internet and information security.
I'm not saying older software is less secure—quite often, it's more secure than newer software. But eventually, obsolete and unsupported software itself becomes a security, support, and business risk.
In general, it's best to only use supported software, especially if it's commercial. But how and when should software companies discontinue support? And when should organizations make the move to newer versions of software?
I don't think software companies should drop support for products that are still in wide use, regardless of the reasons. But sometimes there are factors beyond the desire to sell new software.
For example, Microsoft's 2001 settlement with Sun Microsystems technically "forced" the software giant to drop support for quite a few products. Microsoft initially planned to discontinue paid support for multiple versions of Windows 98 on Jan. 16, 2004, but the company announced last week that it would extend support through June 30, 2006.
According to News.com, a study by AssetMetrix found that Windows 98 is still on a significant number of companies' desktops, despite the marketing efforts of Microsoft. Users who haven't upgraded are numerous, and I've seen the looming problem in corporations and data centers. Windows 98 may be an older operating system, but a lot of people are still using it.
In my opinion, as long as companies don't use Windows 98 on a network—including the Internet—it's reasonable to leave it alone for a while. However, keeping Windows 98 in a company's long-term plan probably isn't a good idea in the long run. Sooner or later, Microsoft will discontinue support, and companies will eventually have to upgrade to a newer version of Windows.
Outdated and unsupported software will always necessitate additional security considerations, but saying that all obsolete software is a security risk is wrong. In fact, incidents that lead to security compromises often occur with newer versions of software.
Organizations need to find a balance between security issues and cost concerns. But there's no single method to determine when obsolete software represents a cost savings or an impending disaster.
However, there's one method to prevent the majority of wide-scale security issues in the first place—apply the appropriate security updates when they come out. When it comes down to it, staying diligent in maintaining and updating your systems remains the single most important factor in Internet security.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.