Reducing Critical Infrastructure Risk From End-of-Life Software
Legacy systems, including end-of-life software, cause more problems than workflow bottlenecks and IT headaches and could put a company—or even the nation, if that software is in support of critical infrastructure—at serious risk.
The U.S. Cybersecurity and Infrastructure Security Agency keeps a list of practices that are exceptionally dangerous to critical infrastructure and national critical functions; end-of-life software tops that list.
“Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” the agency stated. “This dangerous practice is especially egregious in technologies accessible from the internet.”
Security Risk From End-of-Life Software
Outdated legacy software can lead to cyberattacks with major consequences for businesses and government organizations alike. The WannaCry ransomware attack is one well-documented example. Hackers exploited the UK’s aging National Health Service system; ultimately, that breach cost the government the equivalent of about $12 million USD.
In today’s cloud era, more and more organizations are migrating legacy workloads to the cloud and the looming security risk of unpatched legacy workloads multiplies. These legacy workloads are the weak link in organizations’ cloud migration journey that hackers are just waiting to exploit.
The solution to the problem isn’t as straightforward as the threat. Quickly ripping and replacing unsupported systems is unrealistic, expensive and disruptive to business operations, and it can affect myriad other systems unexpectedly.
Many companies have made extensive investments in their legacy systems over the past decade or two, and manufacturing companies, health care entities and financial services providers are some of the top users of legacy software. Many of these legacy systems still rely on Windows 7, which hit its end-of-life back in early 2020. One study shows that 89% of large finance companies and 93% of enterprise-level health care organizations are at least partially reliant on Windows 7.
How to Mitigate Risk from Legacy Systems
While immediately extracting such systems from your stack is likely not possible, effectively securing them while working to modernize in the meantime is. The following methods can help organizations maintain workflow velocity and productivity while reducing legacy system security risk.
1. Conduct a basic legacy system risk assessment. The first phase of mitigating legacy system security risk is to identify legacy systems and identify the security risk(s) they present. This can be a difficult task, as many systems have long tails that add up to countless attack vectors. The best way to get a fuller understanding of risk is to gain clear visibility of your entire network, including on-premises, cloud and hybrid traffic. This initial assessment may take significant time and effort, but it will streamline the next steps significantly.
2. Patch legacy systems, if possible. If it’s not possible to patch these systems, create physical barriers. Most legacy systems have vulnerabilities that vendors stopped patching long ago. Perform a criticality assessment to rate these vulnerabilities in terms of risk to show where unpatched legacy systems are and where many users are accessing them. Once you’ve completed the criticality assessment, create a separate physical subnet for your most critically vulnerable legacy systems to isolate them and prevent them from communicating with the outside world.
3. Use zero-trust workload protection to protect legacy workloads. Zero-trust workload protection starts with identity-based segmentation, which functions like a physical subnet. This method only allows legacy systems to communicate to trusted systems. This restricts the number of interactions end-of-life software can have with the outside world and the internal network without compromising functionality and disrupting operations.
Once segmentation is complete, zero-trust workload protection can be deployed on legacy systems to restrict which applications and processes can run down to the bare minimum, so that hackers can’t take advantage of trusted processes. This multi-layered protection is a cost-effective and highly secure way to ensure that the legacy systems you invested in decades ago don’t become vulnerabilities that could compromise your organization for the next five to 10 years. And segmentation will stop a threat from moving laterally from one compromised legacy system to the rest of the network.
Ripping and replacing end-of-life software to prevent risk to legacy system security isn’t often a viable option, so you must take steps to secure these systems instead. Identify risks, patch vulnerabilities where you can and employ zero-trust workload protection to maintain business continuity without exposing your organization to end-of-life liabilities.
