8 old technologies that still play roles in security

Newer isn't always better, at least where cybersecurity is concerned. For some applications, these older technologies are still effective ways to protect data and systems.

bridgestone data center 1968

It’s easy to assume newer is better, but technology that has been around for decades or longer still has a place in cybersecurity. In some cases, it is difficult to hack and therefore less vulnerable. In others, it just continues to be the best option for a very specific purpose.  

Many companies and government agencies still depend on the eight technologies described below to help protect systems and data, proving that sometimes the old way of doing things can best help protect against threats.

1. Tape isn't dead

Magnetic tape is the new hot storage medium. Well, technically, it never left -- tape is the lowest-cost option for long-term storage. It’s also a handy way to keep data out of the hands of attackers and safeguarded from ransomware. "Tape by nature is an offline storage media," says Eric Bassier, senior director of product marketing at data storage manufacturer Quantum Corp. "Because it's offline, it's not susceptible to ransomware attacks and other cryptoware."

He says that Quantum has seen a renaissance in tape use for offline storage in the data center because of this very issue. "Companies that have been moving away from using tape for tape backup are now realizing that they need at least one copy of data that is offline."

The way people are using tape backups is also changing, Bassier says. "The old use case is that the tape fills up, someone has to take that tape, move it somewhere," he says. "They would take the tapes and ship them in a box to an offsite vault. If you think about trying to restore data from a box on a shelf in an off-site vault, that is difficult. You have to get the box back, make sure you have the right tape."

Now, companies are increasingly using tape for local offline storage. "They keep the tape in a library on site," Bassier says. A business could restore a backup job from, say, last week in minutes in a properly automated and cataloged tape system. Even some of the biggest hyperscale public cloud vendors are using tape for long-term, off-line storage, he adds.

Tape just keeps getting better and cheaper. According to Bassier, tape capacity doubles every couple of years. The latest technology holds 12 uncompressed terabytes on a single tape that's just a little big larger than an iPhone. In fact, the use of magnetic tape hit a record high last year, with more than 108 exabytes shipped — an increase of 13 percent over 2016.

2. Neither is antivirus

Traditional signature-based antivirus and old-school firewalls have a hard time catching the latest threats and zero-day attacks. Just because they aren't the latest and greatest in anti-malware technology doesn't mean that they're not useful anymore. Antivirus still does a good job of catching known threats and does so quickly and efficiently.

"No CISO in their right mind would ever throw it out," says Sam Curry, CSO at Cybereason, Inc. "Antivirus and firewalls aren't the cutting edge for stopping bad guys, but they do reduce the attack surface."

3. Hold off on canceling that land line

Traditional telephone lines run on different networks than voice over IP traffic, and they are more resilient as a result, according to Ted Wagner, CISO at SAP NS2, an arm of SAP that provides technology for national security. VOIP goes down when the data network goes down, he says.

Landlines aren't just useful in the case of natural disasters; they can also protect against cyberattacks. "Because it works on a switched network instead of the internet, it is also not susceptible to hackers that may attempt to intercept or compromise VOIP sessions," says Wagner.

4. Old software and operating systems

As a general rule, software and operating systems that have passed their end-of-life date are not particularly trustworthy. Vendors are no longer putting out security patches when problems are discovered -- if the vendors are even still around.

The old stuff has one big advantage: It was designed to run offline. Modern systems, on the other hand, often want to be connected to the internet at all times.

Hospitals, for example, often have old operating systems on computers that have never been connected to the internet, says Jessica Ortega, researcher at SiteLock. "Even though the OS is outdated, it winds up being more secure because nobody has access to it."

Windows 10 can, theoretically, run offline, Ortega says, but it won't have the same capabilities. "Older systems tend to run a little smoother than newer systems in offline mode."

5. Floppy disks? Sure!

Even floppy disks have their uses. According to the Government Accountability Office, the Department of Defense uses 8-inch floppy disks in its IBM Series/1 that dates back to the 1970s to coordinate the operational functions of the nation's nuclear forces, including ICBMs and nuclear bombers.

"Floppy disks like that haven’t been used in at least 30-plus years as they were replaced by smaller floppies, then CD drives, then USB memory sticks and just plain old networks, which allowed users to transfer information electronically," says Dean Coclin, senior director of business development at DigiCert. It turns out, the floppies are more secure, he says. "There are no networks involved in these systems, by design."

"We consider that to be almost comically old technology," says SiteLock's Ortega. "But they are infinitely more secure than an USB drive or an external hard drive, partly because almost nobody knows how to exploit them or even how they work." Some security systems still use floppy disks, she says, such as for alarm code systems. Some routers also still use floppy disks for storage.

Attackers would have a hard time even getting their hands on floppy disks to figure out how to hack them, she added. "Whereas people have literal labs full of USB drives to try to hack."

Removable hard drives are also considered old technology, Ortega says. But they can be stored close at hand, while still being offline and not accessible to ransomware and similar attacks.

The external drives are also portable. "When I was working as a contractor to the U.S government, in many instances data transfers still meant physically removing a drive, putting it into a locked container, transporting the locked container, and physically inserting the drive somewhere else," says Matt Radolec, head of security architecture and incident response at Varonis. "This old school method nearly eliminates the possibility this data could be sniffed or intercepted in transit."

6. Mainframes are mainstays

Mainframes might date back to the earliest days of the computer age, but they're still going strong.

For IBM, mainframe sales were responsible for much the company's latest earnings growth. "This is the most enduring platform that you’ve seen out there, and we continue to capitalize on gaining new emerging workloads onto that platform," IBM CFO Jim Kavanaugh told investors and analysts this summer. "And we delivered substantial growth in the second quarter, over a 100 percent growth, and we tripled our installed MIPS inventory that we shipped."

Its latest offering, the z14, saw stronger sales growth than its predecessor, the z13. "We are well in advance of what the prior cycle was," says Kavanaugh.

According to a recent BMC survey of executives and technology professionals, 92 percent predict long-term viability for the mainframe, the third straight year of increases. One of the biggest strengths of the mainframe, second only to availability, is security.

"There's still a lot of mainframe processing out there," says Jeffrey Shoup, mainframe solutions architect at Ensono. "In fact, some of the most state-of-the-art technology out there is in the mainframe ecosystem. IBM will put some of its brand new technology there first, because the mainframes are more expensive, and that's how they fund research and development."

The reliability of mainframes means that companies are increasing their use for mission critical workloads. According to a survey conducted earlier this year by Forrester Research, 64 percent of enterprises will run more than half of their critical applications on the platform within the next year, up from 57 percent this year. In particular, 72 percent of customer-facing applications are completely or very dependent on mainframe processing.

Encryption plays a big role in mainframe deployments, adds Shoup. "In the mainframe space, you can encrypt as much as you want to protect your sensitive data." The encryption capabilities just keep getting better. According to IBM, its latest z14 mainframe can encrypt 12 billion transactions every day – five times more than its predecessor.

Today's mainframes aren't the same fickle, insecure and delicate systems they used to be. In fact, a couple of years ago IBM demonstrated that its z13 mainframe can withstand an 8.0-magnitude earthquake. "The stuff in the movies isn't representative of what we have in the industry these days," says Shoup. 

7. Don't cut the cord

Wireless mice, keyboards, headsets and other accessories are convenient. So convenient that sometimes new devices don't even have ports to plug in the older versions. "I know people love to have wireless this and wireless that," says Eric Kobrin, director of security intelligence at Akamai Technologies. "But I actually use lots of old tech all the time, and a lot of it is for security reasons."

A wired keyboard with a long cable is just as convenient as a wireless one, Kobrin says. "And you don't have to worry about someone sniffing your Bluetooth traffic."

Or take Secorvo's October's report about a driver-related vulnerability in the Seenheiser headphones. "Headphones shouldn't need a driver," Kobrin says. "If you can plug it in and use the old analog system, you're not exposing all the layers."

Or take personal fitness trackers. There's no reason for that data to be sent off to the cloud, he says. Earlier this year, it turned out that the Strava fitness trackers exposed information about military base locations. This kind of information could be a problem for any company, Kobrin says. "If I can figure out from a person's pedometer when they're usually in the office, can I use that information to social engineer my way in?" he asks. "You know where they are because you're watching their fitness traffic."

Even old-school serial connections have a place in today's enterprise environment. Akamai routinely looks at new kinds of malware so that it can better protect its customers, and keeping it contained is vital. "We have specialized server hardware running the malware," says Kobrin. "We connect to it with a serial terminal and a laptop that never connects to the network."

8. Paperless? Maybe not

Paper is one of the oldest communication technologies around, and even in today's digital world it still has its uses. Take voting machines, for example. "When it comes to election security, it's harder to fake physical ballots versus digital ones," says Darien Kindlund, VP of technology at Insight Engines. There's a reason they call it "a paper trail."

Similarly, it's harder to fake physical notaries on documents for many scenarios, Kindlund says. "This is because modern PKI is still hard to get right. In many ways, it is still easier to protect physical documents versus digital ones."

In fact, paper can be a security device in and of itself. A Post-It note or some other sticker is a cheap and easy way to cover up a laptop camera, says Ronen Slavin, head of research at Reason Cybersecurity. "Oftentimes, security solutions will fail to protect the camera, which is why this manual option of a sticker to block the recording is still the most secure," he says.

You can stick a piece of paper on the door of a conference room and get most of the functionality of a connected display, without the security risks. Akamai's Kobrin says he once spent two years trying to get vulnerabilities fixed in a room reservation system that had LCD display panels outside conference rooms. "You could use them to take over someone's network," he says.

Replacing the displays with paper signs or just using dry-erase markers to write on the glass doesn't lose all that much functionality, he says. "Nobody can take over a dry-erase marker and use it to create a security incident at your company."


Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)