Forgotten risks hide in legacy systems

Investing in new tools and solutions and making sure they’re doing their job may be top-of-mind in your security department, but older, less-used systems could be quietly costing you money and putting you at risk

These days, there’s no shortage of new business technologies and new threat vectors to the enterprise. But what many companies forget is that old technologies pose risks as well, and those risks aren’t going away. In fact, as your legacy systems continue to get more out-of-date while the world around them continues to evolve, the risks may be increasing.

A few of the things that make legacy systems risky include unpatched software, hard-coded passwords, and a failure to draw any budget money for repairs.

Patch me, please!

There are many reasons that a company might not apply all the patches and other recommended fixes for a legacy system. Some software is too business-critical to mess with, and if a patch has the potential to break things, it might get postponed until it’s tested first…and that testing never happens.

For example, a company may have customized its legacy software to a large degree, and upgrading to the next version might require all the customization work to be re-done.

With each missed patch or missed software upgrade cycle, it becomes that much harder and more expensive to roll out the next one, until the system is so deep in technical debt that there’s no way to dig it out without starting over from scratch.

Then there’s software for which patches or upgrades just aren’t available, for example because the vendor went out of business or discontinued that particular product.

According to the latest Secunia report, 3.9 percent of all software on the average PC in the U.S. is no longer patched by the vendor. The most common programs to outlive their support systems? Old browsers and old versions of Java.

“It’s probably even worse on the business side,” says Stefan Frei, research vice president with NSS Labs, a security research firm. “The end user can just run auto update. But the corporation has policies and testing in place to delay the patching. And with some systems, there are legal barriers, where you’re not allowed to touch the system without losing your warranty of certification. You are in a very bad situation—you are doomed if you don’t update, and you are doomed if you do.”

Or if the software was written in-house, the original developers may have long since moved on and there’s no longer anyone around to do the work.

“As the baby boomer generation ages and retires, many customers are losing knowledge of the underlying algorithms in those applications,” says Jim Thompson, the CTO of the technology department in Unisys’ Technology, Consulting and Integration Solutions organization.

Some software can’t be patched at all, including that found in printers, scanners and thermostats.

The biggest single legacy system that’s about to cause a lot of people a lot of problems? Windows XP, which Microsoft will no longer support starting this April.

Ken Pfeil, global security officer at Pioneer Investments, calls it “the coming X-pocalypse.”

“There are a number of people sitting on zero-day exploits just chomping at the bit,” he predicts. “The Black Hole exploit kit, which was very prevalent, hasn’t been replaced yet, but I expect that by the end of April, beginning of May, you’re going to see XP systems get compromised at a point-and-click rate.”

Pfeil says he expects his own company to be completely off of Windows XP by April. But he added that not every company can switch over. Windows 7, for example, has specific hardware requirements. “And a lot of the very large organizations can’t refresh 30,000 desktops within the next six months.”

The login is ‘admin,’ the password is ‘password’

There used to be a day, back before SQL injections and buffer overflows, back before the Internet, back before you could sell Social Security numbers online in bulk, back before user interface design, when writing software was a much simpler matter of just coding the required functionality as efficiently as possible.

That day is now long gone, but the software written back then is still around, still running critical infrastructure in the financial, medical and energy industries.

Take, for example, the issue of default and hard-coded passwords. This isn’t a new problem, but it is significant enough that the U.S. Computer Emergency Readiness Team, part of the Department of Homeland Security, issued an alert last summer warning companies to change passwords.

“Attackers can easily obtain default passwords and identify Internet-connected target systems,” the alert said. “Passwords can be found in product documentation and compiled lists available on the Internet. An attacker with knowledge of the password and network access to a system can log in, usually with root or administrative privileges.”

Legacy applications in particular often have several types of backdoor accounts with access to key databases, says Karen Eldor, director of product management at CyberArk Software.

Some are default passwords supplied by the vendor, while others are hard-coded into the software or in configuration files.

“These passwords are typically privileged passwords because they need high-level access to systems,” she says. “And if they’re hard-coded, many people don’t even know they exist, and if they’re re-used, nobody knows they’re being used or where they came from. It could be a very significant problem for an organization.”

This issue often appears on company radar screens for the first time when a company fails a security or compliance audit, she adds.

But of course, non-regulated industries are vulnerable as well.

Where automation can help

The first step of tackling the problem is to identify its scope. CyberArk, for example, can help companies find instances of hard-coded passwords in their legacy software.

“We are very experienced with this, and know where it’s usual to find them,” says Eldor.

Once the problems are identified and prioritized, then a company can decide to allocate its available resources where they will do the most good.

For example, in the case of hard-coded passwords, a company can decide to change them manually at certain intervals, or set up an automated system to change them periodically, or use a password management tool to remove hard-coded passwords entirely and replace them with on-demand passwords that change continuously and can be managed centrally.

There are also ways to identify legacy systems hidden inside network devices like printers and scanners.

“You have a lot of copy centers that have old unsupported and embedded systems,” says Pioneer Investments’ Pfeil. “The risks that are associated with that seem to quadruple every day.”

Routers and switches don’t do a particularly good job identifying what’s connected to them, he says, especially devices that only connect intermittently.

To deal with this issue, Pioneer Investments uses tools from security firm ForeScout Technologies, which can identify and manage network connections and even monitor them for suspicious or unusual activity.

“When we first started out, seeing all the traffic, and seeing everything connecting, it gives you very good visibility,” Pfeil says.

“Then there are some default policies that are simple to enable, such as the checking of antivirus—is it installed, does it have current signatures, if not, flip it over to the VLAN where it has access to the update server, and when it’s updated, flip it back over to the network access.

“Then we’ve gone down to the level of checking the actual hardware itself—does it have virtualization extensions, what vulnerabilities are inherent in the system—so we enforce directed scans at that system if we deem it to be a higher risk,” he says.

“ForeScout provides a very flexible control fabric platform that interfaces with our other security devices, proxies, antivirus devices, and all that,” Pfeil says.

Budget? What budget? We don’t have no stinkin’ budget

Investing in emerging technologies makes business sense. Cloud computing and mobile apps save money, bring in new customers and are easy to pitch to executives because they’re on the cover of every magazine.

Throwing money at old systems—systems that seem to be working just fine—is a much harder sell. It’s easy to postpone these projects, but with every delay, the price tag just gets that much higher.

The key to making a business case for an upgrade to a old system that seems, on the surface, to be working just fine is to figure out a way to put a real dollar value on the security risk.

Start by considering compliance, says Ken Pickering, director of engineering at Core Security. For example, the Payments Card Industry requires merchants that accept bank card payments to comply with a set of security standards. If there’s a breach, state laws may require customer notifications, credit card security monitoring, or other remediation measures. In addition, breaches cause public relations damage to the company as a result of losing customers’ credit card or Social Security numbers.

“Do we risk violating our PCI compliance?” Pickering says. “That’s money. If the records are breached, what’s the dollar per record cost?”

Another way to determine the monetary benefit of replacing an older system with a new one is to calculate the ongoing cost of maintenance of the legacy system.

For example, in 2012, the latest versions of Microsoft software were not affected by 20 percent of the newly discovered vulnerabilities, says Marc Maiffret, CTO and head of the Advanced Research Labs at BeyondTrust. That means fewer patches to apply for companies running Windows 7 or later.

“So if you’re running an older system, you have to do 20 percent more work,” he says. “That’s something [where] you can put tangible dollar amounts on what it means to your business.”

Finally, don’t forget the higher costs of insuring older systems against breaches.

“Bring in your insurance agent,” recommends David Sun, CEO of SunBlock Systems. “If your insurance premium will change, that’s a fairly immediate quantifiable dollar amount.”

It might help to bring in legal help to make the case to management, says Ron Gula, CEO and CTO at Tenable Network Security. Gula serves on the advisory board for the University of Maryland Cybersecurity Center and has conducted penetration tests of government networks for the National Security Agency. Tenable offers real-time security monitoring, vulnerability scanning, network scanning and log analysis and counts the Department of Defense among its 24,000 customers.

“We are really, really bad at articulating risk,” he says, referring to technology professionals. “So go call your lawyers. Your lawyers are going to be aware of your corporate responsibilities to shareholders and customers, of your regulatory requirements. If you have a risk that’s going to make it difficult to pass a PCI audit, get the lawyers on your side.”

If hard numbers and explanations of legal risks don’t do the trick, consider peer pressure.

“Even organizations that compete with each other do share risk information and best practices,” says Gula. It may take some research to figure out what competitors are doing, but the information may be available through trade shows and conferences.

“If you can benchmark yourself against your industry, your vertical, that is something you can bring to your local executives,” he says.

Another approach to addressing the budget problem is to try to move the cost of supporting legacy systems to the business units that actually use them.

“Historically, IT has always borne the brunt of maintaining them,” says Sarah Isaacs, CEO of Conventus, a security consultancy. “Nowadays, IT might be going back to the business units and saying, ‘This is your cost, and we’re going to charge any fees associated with maintaining such an outdated program.’ That might kick the business unit into gear.”

Wrap it, isolate It, lock it away

The riskiest situation arises when the oldest technology is suddenly exposed to the latest, most cutting-edge channels.

“You can’t simply expose a legacy system that was never intended to be exposed that way,” says Unisys’s Thompson.

“Many of our customers are pressed to embrace these things, but it has to be done in a disciplined way. Change isn’t always good. A healthy respect for the underlying code base is important,” he says.

A bank, for example, may want to allow customers to check their account balances via a website, a text message, a smartphone, a watch, augmented reality glasses or some other newfangled device.

Putting a wrapper in place around the core banking software would help protect the underlying legacy system and allow developers to create new access points without touching the core code base itself, he says.

“Make sure the wrapper checks so that the only transaction that gets through is checking the balance, and nothing else,” he says.

A legacy system isn’t just vulnerable to external threats, of course—many threats aren’t coming directly from the outside, but from other compromised systems that are also behind the company firewall.

According to Thompson, enterprises need to stop thinking of their networks like an M&M—a hard, crispy shell protecting the soft chocolate goodness on the inside.

“You need to think of a world in which what’s inside the M&M is more M&Ms,” he says. “So that people who get in through email can’t go the point-of-sale system, to the core banking system. The email system has no business talking to the core banking system.

“You have to take the approach that you are going to get hacked, not that you’ll put up a Maginot line of peripheral security that’s never going to get hacked.”

Maria Korolov is a freelance technology writer based in Massachusetts.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)