End of Support But Not End of Use: Security Implications of Unsupported Operating Systems

The Ubuntu operating system has increased its commercial foothold in recent years as an open-source alternative to Windows and Red Hat Enterprise Linux. As versions of Ubuntu reach End of Support, companies are faced with the choices of migrating to a supported version of Ubuntu, continuing to use an unsupported version, or paying for Extended Security Maintenance to continue to receive security updates.

What is the level of risk associated with the continued use of a version of Ubuntu that has reached End of Support? Is it necessary to pay for Extended Security Maintenance, or can other mitigations be implemented as an alternative to applying security updates? Understanding the level of risk associated with legacy operating systems will support the decision-making process when prioritizing budgets and schedules.

This presenter will discuss the results of research performed during a graduate program. Two separate versions of Ubuntu which have reached End of Support, 14.04 and 16.04, were evaluated to compare vulnerabilities present in baseline operating systems with operating systems receiving updates through Extended Security Maintenance. This evaluation included identification of vulnerabilities using commercial security scanners, such as Tenable Nessus and Rapid7 Nexpose.  A select number of identified vulnerabilities were then further evaluated using Kali Linux and Metasploit to demonstrate whether these vulnerabilities could in fact be exploited.