Identifying Legacy Systems in your IT Estate.

The recent global ransomware attack which has a major impact on the NHS appears to have exploited a vulnerability in the operating system of many computers across the I.T estate, this was exacerbated by the continued widespread use of Windows XP, which reached its end-of-life in April 8, 2014 – 3 years previously.

Managing Legacy Systems, and ‘hardening’ systems in general, is an issue that organisations of all sizes need to manage, but as more and more devices become internet enabled, and the Internet of Things (IoT) approaches, a more robust approach is needed.

Unsupported Operating Systems

The Register reported in December 2016 that “90% of the NHS was still using Windows XP”.

Despite the UK Government agreeing a one year extension with Microsoft to support the XP operating system beyond its end of life, this was not continued past April 2015 meaning critical security updates were no longer being developed for existing vulnerabilities in Windows XP.  The official advice is to upgrade to a newer more secure system.

Why Do Organisations Run Legacy OS?

It’s not uncommon for organisations to run part of their IT estate on Legacy Operating Systems.  While it is not best practice and not recommended, often there are compelling business reasons to do so.

Supporting Applications that run on top of the operating system is probably the main reason organisations maintain old versions of Microsoft Windows.

Consider your accounting software or your CRM system which has been running well for years.  Perhaps cost of upgrading to the latest version of the software is expensive and would require resources to implement the system, migrate data, retrain staff and so on.  It’s easy to see this being delayed at board level due to the amount of resources needed for such a project.

Bespoke software packages are more likely to be a concern.  Having spent time and money developing a system that exactly meets your needs, changes to the underlying operating system can seriously affect the operation of your bespoke software that runs on-top.

This can lead to high re-development costs and, in some cases, organisations become locked into technology because the original developers become unavailable or data in the system can not easily be migrated to a new platform.

Taking time to analyse your information security requirements before commissioning a new system to be developed can solve some of these problems. By considering data portability (a requirement of the forthcoming General Data Protection Regulations, GDPR), system tie-in can be avoided.  Factoring in security testing of the system and budgeting for on-going patching and development costs, can also help you protect your information systems from vulnerabilities in the underlying operating system, such as Windows or OSX.

For Web Applications, this is a constant consideration, as often web based systems rely on several open-source software packages in-order to operate, including, perhaps, a flavour of Linux for the Operating System, Apache or similar for the web server, PHP or .NET scripting and MySQL or Mongo to support databases.

While many of these are supported by an active community of developers, who can address security concerns, patching these systems can still have unintended consequences and may be delayed.

Patch Management

Across all the software packages in use, the number of updates and patches is becoming increasingly difficult to manage.  Good practice would dictate that changes to key systems should be tested in a separate environment prior to deployment; and while the use of virtual servers is making this easier, there is still a significant time overhead, and often some element of downtime is required to apply patches successfully.

In the case of the NHS as discussed above, any systems running Windows XP are well overdue an update, however, Microsoft reports to have patched this vulnerability only in March 2017, a matter of weeks before the WannaCrypt attack.  This means that newer versions of Windows were also vulnerable, and even a reasonable patching policy could have slipped beyond those few weeks and left users exposed.

There is often a reluctance to apply software updated immediately due to the possible impact on other software, as discussed above, but also a mis-trust of software vendors, that they may release something that actually opens a vulnerability in their own system, and later need to release a corrective patch.

Cloud Based SaaS, No More Patching?

The move to Cloud Based systems can help transfer some of these issues to your SaaS provider, as they are responsible for managing the infrastructure and their web-application that runs on top.  Any required updates are applied across all customers, often without them knowing.

This relies on the SaaS vendor having a robust Secure Development Process and Patch Management Policy.  Often details of their Security Certifications, Business Continuity Planning and Vulnerability Management can be found on their website.

If your organisation relies on a Cloud-Based system, you should spend time doing your research to ensure you are happy with the level of risk management they apply.

Discovering Vulnerabilities

The only way to find them is to look for them.

Depending on your infrastructure, a basic vulnerability scan could be enough to spot systems that are behind in their software updates, or where their configuration leaves you vulnerable to exploits.  Something as simple as a Firewall port configured incorrectly could lead to an embarrassing and damaging attack.

Boundary firewalls are constantly scanned from the outside by those looking for ways into your network, from there they can begin looking for data and working to elevate their privileges on your network.

If you run web applications or more complex systems, a Penetration Test by a CREST accredited tester will be more valuable to your cyber defence.

Testers will evaluate against the OWASP Top 10 Most Critical Web Application Security Risks and use their human element to look for ways to exploit the system.

Many companies also benefit from mock Phishing and Social Engineering attacks.

Our Cyber Security Partners can help you protect your organisation through vulnerability scanning and a comprehensive Pen Testing programme as part of your wider Risk Management Framework.

Contact us to organise a Free Scoping Discussion.

Assent Can Help

We have a long-established and successful track record helping organisations manage their risks through Information Security Management, Business Continuity Planning and Technical Testing.  Contact us for more information.

Further Reading:

The Register, 90 per cent of the UK’s NHS is STILL relying on Windows XP.
https://www.google.co.uk/amp/s/www.theregister.co.uk/AMP/2016/12/08/windows_xp_nhs_still/

Microsoft, End of Windows XP Support.
https://www.microsoft.com/en-gb/windowsforbusiness/end-of-xp-support

Robert Clements
Robert Clements
Articles: 299