Legacy Systems: The (Often) Necessary Evil

June 15, 2015

Many IT environments include one or more systems that are really far behind the times. You might be surprised it hasn’t died of natural causes yet. You know the one I’m talking about – tucked deep away in the back of a closet; both the file system and the original installer are now gathering cobwebs. Generally, we at OST see the most legacy systems in healthcare networks – but they can be anywhere.

From a security standpoint, these kinds of hosts are a nightmare. Often running an unsupported operating system (already a big red mark), these machines are generally not well patched and may be running easily exploitable applications. A thorn in the network administrator’s side, they consistently show up in the results of IT security assessments as high risk and requiring attention.

If you don’t work in IT, you might be wondering why anyone would allow such an obvious security hole to exist in an environment. The answer is quite simple. Most administrators and IT managers are aware of these systems, but their hands are tied – usually for one of two reasons:

1. It’s a vendor-managed host (for example, a system that operates radiology equipment) and the vendor refuses to upgrade or patch, for a variety of reasons.
2. It’s an internally managed host, but runs a mission-critical application or service that requires an unsupported OS.

You can see how environments that rely heavily on third party equipment and applications could easily find themselves unable to secure the hardware that sits on their network.

This can lead to serious problems if the organization ever finds itself on the receiving end of a malicious hacking attack. Due to security flaws noted above, legacy systems are often easily taken advantage of and leveraged during an attack. Depending on how the system is positioned in the environment and what kind of data it contains, this can lead to the loss of sensitive data (such as social security numbers, medical records, or other personally identifiable information) or perhaps a full breach of the organization’s domain.

To help illustrate, consider this analogy: if you lived in a bad neighborhood, you’d most certainly want all of your doors locked as often as possible. Well, for starters – the Internet is most definitely a bad neighborhood, and having insecure legacy systems in your environment would be akin to leaving a side window not only unlocked, but also open. Did we mention that your in-laws own the window, and have lodged it open so that it will not shut? Yeah, it’s a lot like that!

How should this predicament be approached? Here are our suggestions on how to mitigate the risk of having insecure legacy systems in a computing environment.

1. Re-assess if you actually need the system. Is it truly critical to your operations? Sometimes the simplest solution to a security problem is to just power off and retire the offending host. If one person uses it once per quarter to run a single report, it’s probably not mission critical and the risk it poses is greater than the service it offers. If you re-assess and do find that you need it, keep reading.
2. If it’s a vendor-managed host, reach out to the vendor directly and ask for a resolution. If you’re trying to meet compliance standards (i.e. GLBA, HIPAA), be sure to get an official response from the vendor for your records.
3. If it’s a dated application and your organization simply hasn’t ponied up the dough to purchase the new, secure version, build that into the budget now. If this is the situation you find yourself in, you’re gravely underestimating the cost of a data breach. Go ahead, Google the average cost of a data breach. We dare you.
4. If you find yourself in the worst-case scenario, where the vendor will not budge, the application has no patched version and the system genuinely is mission critical, all is not lost. Here’s our recommended plan of attack:

Isolate, isolate, isolate.

Going back to the open window in your house analogy, the next logical step (if you can’t shut it), is to lock the room that the window is in and take all the important stuff out of there. Make that system invisible to everyone on the network except those who need it. Put it on it’s own VLAN and permit access with great discretion. Harden the system with firewalling and an endpoint protection that has IPS/IDS modules. Remove ALL unnecessary applications and services from the host. Patch it as much as you can. We’ve advised clients to, when it made sense, literally unplug the computer from the network and require that be accessed only physically.

Build a Plan for Moving Forward

Get it into your FY plan to retire that system, if you can. If you can’t, make sure that the Board of Directors for your organization is aware of the risk and chooses to accept that risk.

A comprehensive IT security assessment is the best way to find insecure legacy systems. As part of an assessment, a penetration test is generally conducted to help identify the severity of security holes that may exist on these machines.

The OST Security Practice has conducted over 1,000 security assessments for clients in a wide variety of industries and is exceedingly proficient at identify vulnerabilities on legacy systems and helping organizations mitigate the risks they pose.

For more information on an IT security assessment services, please contact dkilpatrick@ostusa.com.