Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Legacy systems

Published: 2009-11-05
Last Updated: 2009-11-05 09:54:20 UTC
by Swa Frantzen (Version: 1)
6 comment(s)

IT in general is riddled with legacy system. They are inheritances of a past we 'd like to forget or we might even cherish them. But they have a tendency of harboring nasty surprises.

In an economic climate where investments are a bit less likely than they used to be, there is fear we'll end up with more legacy systems than ever before. Moreover people aren't buying the "shiny new" all that easy anymore regardless of the economic climate.

But there is more. Even free software that is as easy to upgrade to as a single click isn't being upgraded. In controlled corporate environments there might be reasons of compatibility, but even home users don't upgrade to in some striking cases. E.g. IE6 -a decade old browser, hated by anybody doing anything beyond basic CSS- has had 2 new versions people are automatically upgraded to, and yet it still has a population of users that is significant, even among the Storm Center's visitors -last month- more than 17% of our IE using visitors still were on that legacy version (data from Google Analytics). Not work-related websites also report numbers of 12 to 15% of IE users not having upgraded to IE7 (itself a legacy version) or IE8.

There is of course a general IT impact of supporting legacy systems, which can be a pain. Add in the lack of planning for problems with such systems and it all becomes a nightmare scenario. Look e.g. at what hit the news regarding the failing synchronization of traffic lights in the DC area (Thanks for sending this in Angela!). The failure as such is a problem one might argue, but statements like "Parts are not really available" are worrying to a great extend. BCP/DRP issues abound.

But there is also a huge security impact. Threats change. If you run things a decade old -even if the top security bugs do get fixed- you still have an architectural model for your defenses that's a decade old or more. A decade is a lot in IT and in security. A lot changes in that time.  Now you might argue using old technology puts you out of the hot-spot where the attackers focus on. While that is true to a point, attackers, security researchers and bug fixers all focus on the latest greatest version. If we all start to slack in upgrading, the attackers might not shift their focus to where the researchers and fixers of bugs are focusing anymore, changing cat and mouse game to one where the mice aren't being watched by the cats anymore. Moreover we know from dshield data that scans for old vulnerabilities never really stops anyway.

So what can each of us do in our corner do to make the world a better place - and have our customers/employers not end up in the news with 30 year old hardware running a mission critical system and failing impacting many thousands ?

An inventory comes to mind as a first control measure. If you don't even know you have a legacy system, there will be nothing that's going to be done until it fails and hits you.

If you can, figure out for all used hardware and software

  • if there is still a way to support it somehow, and how difficult that is
  • when the support will be stopped
  • how critical it is, and if it's taken into consideration properly in BCP/DRP plans

Make a plan, at least for every legacy system out there. [this is really part of your BCP plan, but I'll assume many lack such detailed plans]

  • How will you phase it out
  • When is the deadline on having it gone
  • How will you support it till then
  • How will you ensure security for as long as you still have it

Add to it:

  • How will you know when this status changes (vendor might go out of business, release new versions and silent forget the one you still have, stop supporting a version/variant, extend support, ...) ? With the risk of depending on external parties, these updates need to also be done by actively polling for this, passively waiting to be informed isn't going to be enough to prevent you from getting in trouble.

As evident, the BCP and security requirements should be enough to cause some pressure on companies and organizations that manage their IT properly, but that's not going to affect most home users or small businesses who have a motto of "don't fix if it isn't broken" and apply it liberally.

This doesn't mean I'm advocating to be always on the latest greatest version a vendor promotes. Far from it: I'm hesitant to recommend a feeding frenzy over new OSes -of any vendor or make-, but that doesn't mean we ought not to follow the vendors of our choice into upgrading before the vendor forgets all about their previous version.

So how can we convince those that their (unsupported) legacy systems are a bad deal for the rest of us, just as for themselves ?

--
Swa Frantzen -- Section 66

Keywords: BCP DRP legacy
6 comment(s)
Diary Archives