3 ways to secure unpatched legacy systems

Business-critical, unpatched software can be a target for cybercriminals

Author: Eija Paajanen
Date: 18.09.2015
Read Time: 4 Minutes

Are you one of the organizations running software that has already reached end-of-life?

Our practical encounters in the field with our customers suggest that most organizations host a pocket of servers or client applications that have not been updated for a while – and will not be updated in the near future. This is often business-critical software, such as ERPs, CRMs, and invoicing and cost claims systems that the organization understands would deserve better security.

But… The systems are too old, too valuable to mess with, and too few people in the organization understand how to fix them should they break – hopefully the situation is not quite as bad as this case example from 2005 though… Therefore, these systems are left unpatched, thus providing a door for attackers to access the organization’s network.

At the RSA conference last year, Mario Nunez, CEO of Onapsis stated:

Over 95 % of the ERP systems analyzed were exposed to vulnerabilities enabling cyber-attackers to take full control of the Business. In 100% of the cases, information regarding those vulnerabilities had been in the public domain for more than 5 years.

To make matters worse, the system vendor or service provider that has brought the system into your network actively discourages you to enhance the security. Warranty clauses, SLAs, support engineering, and remote maintenance service (yes, they want to get in and you are left with little choice) will be terminated should you choose to unilaterally tweak an outdated system sitting deep inside your network.

Organizations often “hide” these solutions in their internal network, trusting the fact that no one could get into it. However, once the IT network has been breached, attackers can look for ways to move over to these legacy solutions. Maybe even through the remote access your vendor has enabled for themselves?

So what can you do?

While it would be best to update these solutions, for the abovementioned reasons, it just is not always possible. Therefore, you need to look for other ways to keep your systems as secure as possible. And there are different ways to do that, from a more strategic decision to move over to cloud solutions, to totally isolating the outdated systems and restricting access to a minimum.

Let cyber security advisor Erka Koivunen explain how:

  1. Move rotten legacy out of your network. Many modern CRMs, ERPs, and invoicing systems have a cloud-based (i.e. web browser-based) version of the legacy on-site system that you may have. I am not saying that the cloud will magically solve your problems, they only shift form. Instead of having to worry over a set of unpatched servers, you will need to worry about how the cloud stores your data and how to secure your endpoints, including the browser. Make a transition to a more modern system or start planning a lock-down project. Both of them start with renegotiating your service subscription.
  2. Isolate the servers, limit access, and track usage. Make sure that the unpatched and overly exposed servers are put in an isolated network. No traffic should go in or leave the system unless there is a business case for it and the other communicating party is legitimate. Enforce audit logging on every level from server and client nodes to the network core and perimeter. Ensure that the logs are retained, stored somewhere else than in the potentially compromised system, and actively monitored for signs of anomalous activity.
  3. Identify users with business needs and deny access from all the rest. Remove the threat posed by the “office network” and other servers from the equation by segmenting the access network and moving the privileged users with legitimate access needs to separate LANs. Summer trainees probably do not need database access to the invoicing system, and the whole office network must not be allowed to access your payroll system, so enforce that!
    Consider introducing an internal VPN for the key users if the office network topology is too flat to accommodate strict segmentation. If moving endpoints to an isolated network is too much of a hassle, consider limiting client access to vulnerable services by introducing a terminated service such as Terminal Service or Citrix, which is isolated from the office environment. There you can “publish” client applications to your users in the office network even if the application is in fact running in an isolated space. This will, by the way, solve the problem of having to support old browsers or outdated plug-ins that the application may have an unhealthy dependence on. The vast majority of your endpoint infrastructure will get all the latest updates without having to worry about compatibility hiccups with your legacy systems.

Original photo by Miguel Virkkunen Carvalho


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s