No Holes in the Dike: Securing Older Systems to Protect the Enterprise
I was asked recently to provide some commentary on the risks that systems going end of life pose relative to security and patching. While much attention has been paid to deploying next generation security devices and protecting information on mobile systems, securing older systems is sometimes not adequately planned for nor potential impact anticipated.
Even though many factors affect how vulnerable any given system or group of systems can be, patching is in all cases considered a key foundational component of a strong, overall security eco-system. In this regard, older systems may demand more attention and other risk mitigation strategies.
It is also important to note that patching is a component of regulatory compliance and security programs such as PCI DSS, HIPAA and ISO27001. Any system that falls under these programs or regulations that is not able to be patched could be in violation of the regulation or program.
At the risk of stating the obvious, enterprise security incidents are increasing. The global Verizon 2013 Data Breach Investigations Report1 alone analyzed more than 47,000 security incidents with 621 confirmed data breaches.
Over 47,000 Security Incidents Reported Worldwide
New vulnerabilities are being discovered all the time, on the order of several thousand each year. Already identified and patched vulnerabilities on newer systems can still impact older systems. Portions of code that may have been reused from older systems, but can’t be patched as the patches were written for the newer version, may now be vulnerable.
The expectation should be that if systems go end of life your security incident and remediation metrics will increase and likelihood of breach\exploit almost certain.
Yet there are some strategies you can take to limit the exposure of your older systems. If systems are retained after support has ended, the following mitigation strategies can help reduce (but not eliminate) the risk.
1) Check with vendor and third parties–if available enter into custom support agreements.
2) Where possible isolate or limit the external, and internal, connections to the impacted system.
3) Harden the system by removing unnecessary services, programs and accounts. To be most effective, all connected systems would need to be similarly hardened.
A strong, comprehensive security posture will go a long way to help protect older systems as well as new. These may include: two-factor authentication, next generation firewalls, encryption – certainly of valuable and regulated data, robust security policies and employee security awareness training.
There is no doubt that letting systems go end of life leaves them open to any vulnerability and associated exploits that have been announced since that last applied patch. But there are reasonable steps you can take to help limit your exposure and reduce risk.
1 “The 2013 Data Breach Investigations Report,” Verizon, April 2013.