Legacy systems have long been a major concern for organizations across the globe. We have conducted thorough research and collected opinions from experts to bring you the most effective ways to secure your legacy applications and systems.
As a general rule, the six-step process to Identify, Isolate, Assess, Secure, Monitor, and Modernise, is the most effective way to secure the legacy systems. Repeat this process at least once every quarter. Remember that you can only mitigate the risk not completely eliminate it.
If you think your organization does not use any legacy systems, or since you have completely moved to the cloud, you need not worry about it; think again. How many systems or applications in the organization are not patched in the last six months or more? Yes, that’s what we are talking about.
But what is a legacy system indeed, and why do organizations actually have legacy systems?
A legacy system is an application, system, or technology that you find difficult to keep up to date with patches.
One of the following may be the key reason why you can not update it:
- Application or System is old enough where you can’t get patches.
- Keeping it up to date is physically difficult
- The organization do not have access to the source code
- The fear that an update may break something or lead to downtime
- The organization is not able to update it in a timely way
1. Identify legacy systems and ecosystems
Identify and inventory the legacy system in your environment. This should include the systems that are, out of support by the OEM, any internal applications whose source codes are not available with the organization, and so on.
A discovery scan is usually a good idea and must be run periodically.
More often than not, these applications will also have dependencies that need to be addressed employing other legacy systems.
An example will be an internal application whose source codes are not available with the organization due to the employee having left on a “not so good” note a few years back. Now this application can only be accessed on Internet Explorer version 9. This is more of an ecosystem. To use this application, you also need to deploy IE9 over one or more secondary systems. Which is again legacy software.
In this scenario, any systems that will have IE9, needs to be marked separately, as they will be more vulnerable to attacks compared to other systems.
Most ignored legacy systems are servers, and systems, printers, routers, and switches with older firmware versions.
2. Isolate Legacy Systems and enforce Access Control
Micro-Segmentation can be really helpful to reduce the surface of exposure for any legacy systems. Now it does not mean that you just create a separate zone, and put all legacy devices into it.
This will probably be counterproductive to put all your vulnerable devices together in a single VLAN. Since compromise in one of the legacy systems will cascade and if any one of these systems has access to other network segments, this will eventually result in a disaster.
A better way will be to segment them further and have only one device in each zone with access to only required systems and devices. Further, privileged access or root access should be restricted. Enforce MFA if the device supports it.
Internet access in or out from any of the legacy applications again will be a bad idea, I mean like a really bad idea. Yet, VPN access can be considered on-demand basis.
3. Periodically assess the security risks
If a legacy system has dependency over other legacy systems/software like IE9 in the earlier example. A good idea will be not to install IE9 on the systems of all the users, but install it on a virtual machine and grant access to users by means of using a VPN.
If the software uses FTP or HTTP, change it to SFTP and HTTPS. Enforce password hygiene to make sure that the passwords are regularly changed
Regular vulnerability assessment and penetration testing will be a good idea even if the system can not be patched as it will help you understand the magnitude of risk.
Any sensitive information that is not required to be stored over the system or which is accessible by the system should be moved.
4. Harden the system and create a checklist
Make sure that any services or applications that are not vital are stopped, and a hardening checklist is followed at the time of each assessment.
Many antivirus systems support definition updates for older systems. If your enterprise AV/EDR and HIPS do not support them, you can check if it’s available in a different solution and choose to buy limited licenses for the other AV/HIPS. Also check if any latest technologies like Virtualization, Zero Trust, or Polymorphing can make it more secure.
Traffic analysis at the network layer, by using a WAF or reverse proxy or maybe IPS will be another great idea. Any backups should be stored in an encrypted format, and a disaster recovery plan should always be kept handy.
5. Monitor all events and limit data transfer
All the events from the legacy system should be monitored including sign-in, new connection details, data transfer, etc. infect it will be better to enforce a bandwidth cap on the data transfer if possible. Physical monitoring of the systems is also equally important.
Any events even remotely suspicious, should be considered a red alert.
6. Modernize or Migrate to a latest system
It is important to understand, that no matter what you do or how much you mitigate it, the risk will never go down to zero. A good idea will be to have an internal cut off date for legacy systems. For example you can have a policy that any legacy system after 10 years end of support should not be part of the network. Make sure that these deadlines are respected.
Last but not the least, always keep in your mind, that an attacker only needs a small crack to get into even the most secure environments. The sooner you can upgrade or modernise the system, the better it is.
Tell us what do you think about this in the comment section.