3.4.1. EOL vs. EOS Risk Implications
💡 First Principle: When vendor support ends, the organization becomes solely responsible for addressing new vulnerabilities in that product — without the vendor's security research, patch engineering, or CVE coordination. This is not just a patching problem; it's a fundamental change in the organization's security posture for every system running that software.
Timeline of risk escalation:
EOL vs. EOS — practical distinction:
| Status | Vendor Provides | Security Implication |
|---|---|---|
| Active support | Features, patches, support | Normal operations; patch regularly |
| End of Life (EOL) | Security patches + support (no new features) | No functional concern; full security coverage continues |
| End of Extended Support | Security patches only (paid, limited) | Patches available but narrowing; plan migration |
| End of Support (EOS) | Nothing | New vulnerabilities get no patches — risk compounds over time |
After EOS — the accumulation problem: Every new vulnerability discovered in the unsupported software becomes a permanent, unpatched vulnerability. Six months after EOS, an attacker has a growing catalog of unpatched CVEs to choose from. One year later, the catalog has grown further. Unlike actively supported software where patches appear within days of CVE publication, EOS software accumulates exposure indefinitely.
Risk management options when EOS is unavoidable:
| Option | When Appropriate | Risk Level |
|---|---|---|
| Immediate migration | Technically feasible; cost < risk | Eliminates the risk |
| Extended support purchase | Vendor offers it; short bridge period needed | Delays the problem; not a long-term solution |
| Compensating controls + migration plan | Migration complex; timeline 6-24 months | Managed risk with defined endpoint |
| Risk acceptance with controls | Migration impossible; business dependency | Documented risk; ongoing monitoring; enhanced isolation |
| Retire the function | Business process can be eliminated | Eliminates the asset and the risk |
⚠️ Exam Trap: Compensating controls for EOS systems (network isolation, enhanced monitoring, application whitelisting) reduce but never eliminate the risk of running unsupported software. They are interim measures, not permanent solutions. The exam will test whether you understand their limitations.
Reflection Question: A manufacturing plant's production control system runs on Windows Server 2008 (EOS January 2020). Replacing it requires a $3M production line shutdown. The CISO is considering indefinite compensating controls. What specific controls would you implement, and what governance obligation remains regardless of the technical controls chosen?
