Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Legacy systems SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Legacy systems

IT in general is riddled with legacy system. They are inheritances of a past we 'd like to forget or we might even cherish them. But they have a tendency of harboring nasty surprises.

In an economic climate where investments are a bit less likely than they used to be, there is fear we'll end up with more legacy systems than ever before. Moreover people aren't buying the "shiny new" all that easy anymore regardless of the economic climate.

But there is more. Even free software that is as easy to upgrade to as a single click isn't being upgraded. In controlled corporate environments there might be reasons of compatibility, but even home users don't upgrade to in some striking cases. E.g. IE6 -a decade old browser, hated by anybody doing anything beyond basic CSS- has had 2 new versions people are automatically upgraded to, and yet it still has a population of users that is significant, even among the Storm Center's visitors -last month- more than 17% of our IE using visitors still were on that legacy version (data from Google Analytics). Not work-related websites also report numbers of 12 to 15% of IE users not having upgraded to IE7 (itself a legacy version) or IE8.

There is of course a general IT impact of supporting legacy systems, which can be a pain. Add in the lack of planning for problems with such systems and it all becomes a nightmare scenario. Look e.g. at what hit the news regarding the failing synchronization of traffic lights in the DC area (Thanks for sending this in Angela!). The failure as such is a problem one might argue, but statements like "Parts are not really available" are worrying to a great extend. BCP/DRP issues abound.

But there is also a huge security impact. Threats change. If you run things a decade old -even if the top security bugs do get fixed- you still have an architectural model for your defenses that's a decade old or more. A decade is a lot in IT and in security. A lot changes in that time.  Now you might argue using old technology puts you out of the hot-spot where the attackers focus on. While that is true to a point, attackers, security researchers and bug fixers all focus on the latest greatest version. If we all start to slack in upgrading, the attackers might not shift their focus to where the researchers and fixers of bugs are focusing anymore, changing cat and mouse game to one where the mice aren't being watched by the cats anymore. Moreover we know from dshield data that scans for old vulnerabilities never really stops anyway.

So what can each of us do in our corner do to make the world a better place - and have our customers/employers not end up in the news with 30 year old hardware running a mission critical system and failing impacting many thousands ?

An inventory comes to mind as a first control measure. If you don't even know you have a legacy system, there will be nothing that's going to be done until it fails and hits you.

If you can, figure out for all used hardware and software

  • if there is still a way to support it somehow, and how difficult that is
  • when the support will be stopped
  • how critical it is, and if it's taken into consideration properly in BCP/DRP plans

Make a plan, at least for every legacy system out there. [this is really part of your BCP plan, but I'll assume many lack such detailed plans]

  • How will you phase it out
  • When is the deadline on having it gone
  • How will you support it till then
  • How will you ensure security for as long as you still have it

Add to it:

  • How will you know when this status changes (vendor might go out of business, release new versions and silent forget the one you still have, stop supporting a version/variant, extend support, ...) ? With the risk of depending on external parties, these updates need to also be done by actively polling for this, passively waiting to be informed isn't going to be enough to prevent you from getting in trouble.

As evident, the BCP and security requirements should be enough to cause some pressure on companies and organizations that manage their IT properly, but that's not going to affect most home users or small businesses who have a motto of "don't fix if it isn't broken" and apply it liberally.

This doesn't mean I'm advocating to be always on the latest greatest version a vendor promotes. Far from it: I'm hesitant to recommend a feeding frenzy over new OSes -of any vendor or make-, but that doesn't mean we ought not to follow the vendors of our choice into upgrading before the vendor forgets all about their previous version.

So how can we convince those that their (unsupported) legacy systems are a bad deal for the rest of us, just as for themselves ?

--
Swa Frantzen -- Section 66

Swa

760 Posts
IE6 is a big headache here. We have about 2000 clients with about 98% on IE6. Just recently there has been talk about moving to IE7. I keep asking what about IE8 and why IE7 but i can't get a good answer.
Anonymous
Why IE at all? Why not firefox? That way you eliminate all of the ActiveX vulnerabilities, and there are add-ons to help block many of the others.

Many of my systems probably still have IE6 on it, but I just don't use the thing any more.

Eric

43 Posts
I work in a hospital that uses several web-based applications that depend on IE6. Using another browser would result in many bugs, varying from page rendering problems, to printing problems.

I suppose the problem might lie with the vendors in this case, but it's been years and newer browsers still don't work.
Anonymous
I'd LOVE to move to Firefox, but that is not possible where I work. We still have a few business critical DBs in Access 97 so moving something like IE to Firefox would likely cause a major meltdown here.
Anonymous
I would like nothing better to do than to upgrade to a better browser. However we have a (hopefully) soon to be replaced accounting system that cannot be upgraded and cannot use anything but IE6.

Tout the latest browsers all you like, but legacy systems rule in many shops.
KBR

63 Posts
Legacy browsers and OS's are not the only problem out there. In the country where I live (to remain nameless, thank you very much) the just about universally used most popular business accounting software (because it interfaces well with the gov't finance ministry web services - I wonder whose cousin got that contract...) requires that all workstations operate from an account with admin privileges. The software simply will not launch from a user account. The whole country is wide open to being owned. If you think this is ever going to get fixed you know nothing of inertia, denial, and simple brain death.
Russ

3 Posts

Sign Up for Free or Log In to start participating in the conversation!