The topic of security is indissociable from IT. After all, there is not much value to a system that can store, process and exchange often sensitive data if there is no security guarantees associated to it. Efforts in making IT systems more secure go back several decades. For instance, the first version of SSL was introduced in 1995, a library that paved the way for modern security technologies.
However, the cyber-security risk has never been as great as it is today. The amount and scale of such attacks has dramatically increased over the past few years. The International Telecommunications Union estimates that an attack occurs every 39 seconds.
The most targeted organizations are small to mediumsized businesses (SMB), as well as healthcare actors (such as hospitals).Notably, medical records are especially desirable for attackers due to the large amount of sensitive information they contain.
Those malicious actors are able to gain access to your systems by studying their security components (such as firewalls, or VPNs) and exploiting their flaws. Those flaws are almost always the result of a bug and typically end up being patched by the vendor innew versions of the software, if it is still actively supported.
What is a legacy system?
A legacy system is an outdated software program that is still actively used by an organization. What makes the system outdated is either its lack of support (the vendor may have stopped updating it) or its inability to integrate with modern, standard IT systems and current best practices.
A typical example of such a system would be Windows 7. Despite being phased out by Microsoft in January 2020, its market share is still around 13% as of April 2022. This Operating System (OS) no longer receives security updates, making it vulnerable to attacks, and is unable to integrate with the latest identity management system by Microsoft, Azure Active Directory.
Why you may like (parts of) it.
Legacy systems are mostly painful, but there are some more enjoyable aspects.
You know how it works (when it does)
As of 2020, an IT system is kept around 10 years inservice before being decommissioned.
That is quite a while, and it would give anyone actively working with it enough time to learn all of its quirks, necessary hacks to make it work, and reach a state where it can “just run” and where most issues can be resolved quickly thanks to extensive experience.
This leads to a certain sense of comfort when using the system. After all, we have already solved all errors it could throw at us at least once so when something bad happens we will handle it.
You spent a lot of money into it
IT is not cheap. You need to pay for compute, storage and networking to your cloud provider (or worse,maintain your own hardware), software licensing, support, employee training,and more.
This can make us reluctant to dump it. We spent so much money to get it up and running, so we should keep it now.
Yet, even if the cyber-security threat does not bother you, you should be aware of how much maintaining your legacy IT system actually costs you. It is estimated that the average enterprise spends 57 percent of its IT budget on supporting business operations and only 16 percent on boosting innovation. And this burden only grows over time, as the industry evolves and old technologies get phased out.
Why legacy IT puts your organization, employees and users at risk
Using deprecated, vulnerable libraries
A basic principle of software development is “Do not reinvent the wheel”. In practice this means that when implementing some web server, a developer will not implement HTTP from scratc hbut rather use a library developed by another developer to achieve this.
Some libraries for basic operations have become de-facto standards and are now widely used in many software programs. This means that those programs are able to leverage the library functions… And also share its vulnerabilities.
The still recent Apache Log4Jincident is a perfect example of this. Log4J is a library commonly used in Java applications to handle logging, it is developed by Apache, a very reputable vendor.
On December 9th 2021, a critical vulnerability is discovered that allows for arbitrary code execution.This means that an attacker able to exploit this vulnerability would be able to run code on the target machine running this library. In terms of security, this is as bad as it can get. The vulnerability was quickly fixed by the Log4J teams in a new version of the library.
So all good? There is a new version of the library so we are safe right?
Well, no. All software programs using this library must issue a new update integrating this library. And this is where the problems begin as weeks after the announcement that Log4Jmust be updated, 10% of scanned organizations were still using software integrating the old, vulnerable version.
And some legacy software whose support has ended will probably never get the update.
Lack of support for today’s best practices
The previous section may have caused you to check the End-Of-Life date for your firewall and VPN software among others — Good. But we are not done yet.
Just because the software is maintained and regularly get security updates does not mean your organizationis safe. Best security practices evolve each year and it is important to stick to them to minimize the risks. An example of that is the usage of Multi-FactorAuthentication (MFA) whose usage has increased over the past few years and is now considered a requirement to ensure secure access, alongside other techniques such as Single Sign On(SSO).
Problematically, legacy software typically lags behind the rest of the industry and is late to adopt new standards, if it ever does. An example of this is that logging in a Windows7 machine with SSO does not work in some cases:
SSO in Windows 7 or in Windows Server 2008R2 is not available for a full remote desktop connection through RD Web Access. (Source: Microsoft support)
Using legacy systems can slowdown or prevent the adoption of new security best practices, leading to increased risk of cyber-attacks.
On-premise infrastructure to the rescue..?
A common misconception is that running your IT system in your back-office makes you safe(r). The firewalls, VPNs and other solutions (such as TeamViewer) all have potential vulnerabilities that could serve as a point of entrance for attackers. Notably, VPN attacks wereup 2000% in Q1 2021.
Running your IT systems on-premise requires you to:
· Continuously maintain and update your hardware,
· Continuously maintain and update the underlying software infrastructure running the applications, such as networking, the operating systems and kernel.
· Ensure the physical security of your machines.
In the case of cloud computing, the security responsibility is shared with the cloud provider (such as Microsoft Azure, or Google Cloud Platform). In particular there is no physical security work to do, no network infrastructure to update and it is even possible to delegate the operating system updates if your applications can run inside containers (example: Docker).
As a result, on-premise IT systems can become an obstacle rather than an enabler or even a safe fallback.
Now I am scared, what should I do?
A good first step is to assess your Security Posture, to determine how strong your current cyber-security is and where weak points could be. A non-exhaustive list of points to look out for:
· Legacy software (by now you should know why!),
· Any access not requiring MFA, typically a simple user name and password. Bonus points if there is no enforced requirement on password complexity and update frequency.
· Review who can access what, everybody does not need access to everything. Make use of Role-Based Access Control to restrict access to resources based on user roles.
· Setup rules for password length, complexity, update and requirement for MFA. Make sure they are enforced by the system itself.
If your current IT systems do not allow you to implement some of these points, it is a good sign you may be dealing with legacy software and an update may be due.
In general, make sure to follow the best practices at all times and continuously monitor industry trends to minimize your attack risk. See also:
As long as there is valuable data to be stolen, there will be malicious actors to steal it. And they will not hesitate to target small companies, big companies, financial institutions or hospitals. There is little we can do to prevent the attacks but we can protect our organizations and users by sticking to best practices.
One of them is to not rely on legacy IT systems, which both integrates vulnerabilities and hinder the adoption of such best practices.