Reduced critical infrastructure risk from end-of-life software
Legacy systems, including end-of-life software, cause more problems than workflow bottlenecks and IT headaches and could put a business – or even the nation, if that software supports critical infrastructure – at risk.
The United States Cybersecurity and Infrastructure Security Agency maintains a list exceptionally dangerous practices for critical infrastructures and national critical functions; end-of-life software tops the list.
“The use of unsupported (or end-of-life) software in the service of critical infrastructures and national critical functions is dangerous and significantly increases the risks to national security, national economic security and public health and safety national,” the agency said. “This dangerous practice is particularly blatant in technologies accessible from the Internet.”
End-of-life software security risk
Outdated legacy software can lead to cyberattacks with major consequences for businesses and government organizations. The WannaCry ransomware attack is a well-documented example. Hackers exploited the UK’s National Health Service’s aging system; Ultimately, this breach cost the government the equivalent of approximately US$12 million.
In today’s cloud era, more organizations are migrating legacy workloads to the cloud and the looming security risk of unpatched legacy workloads is growing. These legacy workloads are the weakest link in organizations’ cloud migration journeys that hackers are eager to exploit.
The solution to the problem is not as simple as the threat. Quickly extracting and replacing unsupported systems is impractical, costly, and disruptive to business operations, and can affect myriad other systems in unexpected ways.
Many companies have made significant investments in their legacy systems over the past decade or two, and manufacturing companies, healthcare entities, and financial service providers are among the top users of legacy software. Many of these legacy systems are still based on Windows 7, which reached its end of life in early 2020. Research shows that 89% of large financial companies and 93% of enterprise-level healthcare organizations depend on at least partially Windows 7.
How to Mitigate the Risks of Legacy Systems
While it’s probably not possible to pull such systems out of your stack immediately, effectively securing them while working to modernize them in the meantime is. The following methods can help organizations maintain workflow speed and productivity while reducing legacy system security risks.
1. Perform a baseline risk assessment of the legacy system. The first phase of mitigating legacy system security risks is to identify legacy systems and identify security risk(s) they present. This can be a difficult task, as many systems have long tails which add up to countless attack vectors. The best way to better understand risk is to have clear visibility across your entire network, including on the site, cloud and hybrid traffic. This initial assessment can take a lot of time and effort, but it will greatly streamline the next steps.
2. Fix legacy systems, if possible. If it is not possible to patch these systems, create physical barriers. Most legacy systems have vulnerabilities that vendors stopped patching a long time ago. Perform a criticality assessment to assess these vulnerabilities in terms of risk to show where unpatched legacy systems are located and where many users are accessing them. Once you have completed the criticality assessment, create a separate physical subnet for your most vulnerable legacy systems to isolate them and prevent them from communicating with the outside world.
3. Use Zero-Trust Workload Protection to protect legacy workloads. Zero-Trust workload protection begins with identity-based segmentation, which operates like a physical subnet. This method only allows legacy systems to communicate with trusted systems. This limits the number of interactions end-of-life software can have with the outside world and the internal network without compromising functionality and disrupting operations.
Once segmentation is complete, untrusted workload protection can be deployed on legacy systems to limit which applications and processes can run to a bare minimum, so hackers cannot take advantage of trusted processes. This multi-layered protection is a cost-effective and highly secure way to ensure that legacy systems you invested in decades ago don’t become vulnerabilities that could compromise your organization for the next five to ten years. And segmentation will prevent a threat from moving laterally from a compromised legacy system to the rest of the network.
Removing and replacing end-of-life software to prevent security risks to legacy systems is often not a viable option, so you need to take steps to secure these systems instead. Identify risks, fix vulnerabilities where you can, and use Zero Trust workload protection to maintain business continuity without exposing your organization to end-of-life liabilities.