How shadow IT and obsolete software menace enterprise infrastructure

One-in-16 of all IT assets have reached the end-of-life stage of support, potentially exposing enterprises to known-but-unpatched vulnerabilities, according to a new study.

The figure comes from an analysis of raw data aggregated from visibility into 1.2 million IT assets, including servers and devices, on the networks of Sevco customers and prospects.

In addition to finding 6% of assets had reached EOL, Sevco’s study also found that 28% of all IT assets are missing at least one critical control – either endpoint protection or patch management.

Third-party experts said that issues posed by out-of-date software and shadow IT systems (unsanctioned technologies used by workers outside of any administration or control by the IT department) are growing.

In the shadows

“The volume and availability of non-standard, unmanaged, devices exposed to the internet, and configured by non-security-minded users is growing exponentially,” said Rik Ferguson, VP of security intelligence at Forescout. “These devices are often not as well secured or as visible as the traditional IT estate and remain uniquely vulnerable.”

Last month a threat actor was spotted attempting to sell access to the large cloud security company Zscaler. Following an investigation, Zscaler discovered a test server which was not hosted on its core infrastructure.

In the 2023 Okta attack, attributed to the use of unauthorized IT systems, corporate credentials were saved to a personal Google account before a work laptop was infected by malware, underscoring how shadow IT can lead to unauthorized access and potential data breaches.

End of life — but not end of risk

Out-of-date software poses significant risks by increasing the attack surface and making organizations more vulnerable to exploits.

For example, an outdated version of JavaScript was a contributory factor in a high-profile breach against British Airways in 2018 (pdf). The risk posed by outdated Windows XP systems at UK hospitals and elsewhere was exposed by the infamous WannaCry malware in 2017.

IT assets that vendors deem to have reached end of life (EOL) no longer benefit from regular software updates or security patches under standard maintenance contracts — although some vendors will offer extended support for a fee. The base price for three years of extended security updates for a single Windows 10 PC, for example, will be $467 after it reaches end of life in October 2025, a little less than the $490 that it cost to keep a Windows 7 PC patched through 2023. Although enterprises may get better pricing, it’s perhaps not surprising that some cash-strapped organizations decide to take a gamble.

Javvad Malik, lead security awareness advocate at KnowBe4, said: “The biggest risk of out-of-date software is in areas which have historically not been connected to the internet. So things like hospitals or critical infrastructure can often be found to be running out of date software.”

Ilia Kolochenko, CEO at ImmuniWeb, argued that the problems of shadow IT and outdated software are “deeply intertwined”.

“To combat against the risks of shadow IT, organizations should maintain and continually update a comprehensive inventory of all their systems, software, users, accounts, data and third parties that have any access to corporate data,” Kolochenko told CSOonline.com.

Sometimes even officially sanctioned IT systems are not kept up to date — such as those without adequate patch management systems in place identified by the Sevco study.

It was an unpatched — but eminently patchable — instance of Apache Struts that enabled the great Equifax data heist of 2017, for instance.

Experts agree that organisations need to conduct thorough audits and risk assessments. The best defences involve tight configuration management, software bill-of-materials tracking, security awareness training, and limiting what can be installed.

“Understanding your attack surface and conducting regular external asset mapping exercises is critical,” Tim West, Director, Threat Intelligence at With Secure. “It is important to note that the answer is not just solely technological. There is a human element behind shadow IT and why it happens. Training and ensuring existing processes work for the needs of your staff is also critical.”

ImmuniWeb’s Kolochenko added: “Even experienced software developers may carelessly deploy a container, with production data, in a cloud to experiment with some new features, eventually forgetting about it, let alone non-technical users with their home computers used for business or mobile devices.”