Legacy systems that security newbs need to watch

How to handle technology that’s been around and deployed since before you were born


Even though technology changes every day and the security ecosystem of most enterprises demands constant updates and layers, there are some legacy systems that security newbs should know how to handle simply because they just work.

Greg Hoffer, vice president of engineering at Globalscape, said that even though these systems have been around and deployed long before those who are fresh out of school and entering the security industry were born, the newbs still need to understand and watch these legacy systems.

  • FTP Servers –Though decades old, they serve their purpose very well. Often legacy systems exist in the deep dark corners that people don't know about. FTP in and of itself is not secure. There are still a lot of people who move information around the internet without any security, and this might cause threat vectors or risks. Many FTP servers are homegrown, some lie open and unknown.
  • Fax machines – An old technology, but they are still very widely used for many business transactions, including health and finance, while being incredibly insecure both digitally and physically. The scariest part of that is that there has been transition from machine to voice over IP, so the data itself is effectively flowing over these insecure channels. 
  • Modems – These are even older than fax machines, but a little younger than FTP servers. Currently, they are probably not as big of an issue as they were in the late 80s to early 90s. Often they were for one specific purpose. A company leased a line that went from a bank to the information provider. Sometimes, though, modems are a 2-in-1 machine with both fax and modem. Modems can allow a form of access into a computer that is otherwise protected by firewalls and all other technologies to make sure no one gets into your network. They remain an attack vector in some companies where modems sit in a dark corner and nobody knows it. 
  • Industrial/manufacturing control systems. These are SCADA systems (or other like systems) that are often found at large industrial or manufacturing plants. They monitor turbines that power electricity through steam, or nuclear power processing plants. While they are secure to the best degree through airgaps. The systems are hardwired and have no connection between the controls and internet. In reality, though, there have been reports that show that with wifi networks the SCADA systems are connected and vulnerable. 
  • Environmental controls--There are older systems that are somewhat comparable to today's IoT. One of Globalscape's customers uses a software to manage heating and AC on top of Buckingham Palace. The system was likely installed 15 years ago, but it may have connectivity of some sort. They are using mechanisms to remotely access controls on that system so that folks aren't climbing up to the palace roof. Instead, they are using FTP to get sensor data. The vulnerabilities of these types of systems are surprisingly similar to the IoT vulnerabilities seen today.

Certainly there are the more modern environmental controls that have gotten some press with the explosion of IoT. These too can't be ignored. Even devices that consumers use in order to have remote access over their homes can pose security risks to the enterprise.

There is a trade off with end users being able to do amazing things at home remotely. From turning the temperature up and down to managing their HVAC systems and refrigerators, there is so much more that is accessible via the internet. "As soon as you attach any device to wifi, that device becomes the weakest link in the security chain," said Hoffer.

[ ALSO ON CSO: Forgotten risks hide in legacy systems ]

Bad guys try to exploit the vulnerabilities to take advantage of the device, but they can also now move laterally throughout your house. If the device is one also used for work purposes, a malicious actor can exploit a VPN and get into the inner sanctum of corporate headquarters. 

These are many of the challenges with technology that we don't think about on a daily basis. "We focus a lot of our attention on the things that are very prominent because people think about credit card transactions and point of sale security," said Hoffer. But securing the enterprise demands that practitioners young and old have an understanding of systems old and new.

New! Download the State of Cybercrime 2017 report