Security compliance has always been on the priority list for organizations. The spate of recent internet security attacks is further driving organizations to take an audit of their security systems. Compliance to industry specific standards such as PCI DSS, HIPAA and ISO27001 is one way to ensure that an organization’s digital data is secure, however many organizations that still have key business processes or data on legacy systems face a major challenge when it comes to security compliance. Since many of these standards and certifications are based on newer technology, it is often daunting for legacy systems to meet the compliance requirements.
Why are legacy systems still in use?
While most organizations closely monitor and upgrade their IT systems to improve operational efficiencies, a significant number of legacy systems continue to be used, either due to budget considerations or because they are an integral part of the business process. “Legacy systems mostly power the operations within banking and public sectors, where the consequences of any system downtime might have a devastating impact. An attempt to replace them puts the business processes at risk of damage due to unexpected technical issues. Also, an upgrade may turn out to be cost-prohibitive, especially if it requires significant investment in hardware, software, potential certification requirements, customization and compatibility testing,” shared Michael Fimin, CEO of Netwrix. He, along with his team, have provided compliance and auditing solutions to many organizations.
It may turn out that upgrading to modern technology is actually the cheaper route after all.
Chris Camejo, Director of Assessment Services for NTT Com Security, shed some light on the need to have adequate security for legacy systems, “The value of a particular piece of information doesn’t change as a result of where it’s stored. One million stolen medical records or credit card numbers will fetch the same price on the black market regardless of whether they were taken from a cutting-edge virtualized non-relational database or a spreadsheet on an ancient Windows NT 4 workstation. The smart attacker takes the path of least resistance and for an attacker it’s often easier to break into legacy systems.”
Compliance and maintenance issues with legacy systems
Extra security measures are required to keep the vulnerabilities of legacy systems from being exploited by potential attackers, though this increases the cost of keeping legacy systems online. “Companies using legacy systems face difficulties in finding specialists to maintain, update or integrate code written in languages like COBOL, since those languages are no longer included in colleges’ and IT training programs,” stated Fimin.
Even compliance standards recognize the risk from legacy systems and include specific prohibitions. Camejo shared an example, “Quarterly ASV vulnerability scans required under PCI DSS consider the detection of any operating system that is no longer supported by the vendor an automatic failure. Any detected vulnerabilities with a CVSS (vulnerability severity score) over 4.0, including those un-patchable vulnerabilities in legacy systems, also cause a failure.”
How to protect legacy systems
Legacy systems also face extra risk due to the potential presences of un-patchable vulnerabilities. Malware or attackers do not focus on just the latest vulnerabilities; they also leverage vulnerabilities that are often years old. Metaluxo IT Security works exclusively with small and medium enterprises to secure their digital data and interfaces. Based on his experience, Roberto Arias, Technical Director, Metaluxo, advised, “First, companies should patch, update, & harden their systems. Companies that are still running Windows XP (financial institutions included), causing them to fall outside of PCI-DSS, should find an expert to harden the systems. Second, PCI-DSS covers specific points of securing customer data, so organizations should audit their systems and replace only what is needed.”
Other compensatory measures can be used to prevent network based attacks. “Businesses should segment their networks by installing internal firewalls with restrictive rule sets in order to isolate systems with sensitive information from other systems that are exposed to risk. This works both ways: workstations and internet-facing systems are exposed to the risks of malware phishing, drive-by download malware, and direct attack so they should try to shield legacy systems that contain sensitive information from these other systems on the network; on the other hand, legacy systems themselves are a risk due to the potential of un-patchable vulnerabilities so we want to isolate other sensitive internal systems like databases from the legacy systems,” advised Camejo.
For organizations that are running out of time for compliance, Arias recommends some bold measures, “Move the software and its database to a new server and use full-disk encryption. Make sure the network communications on the legacy system are secure through SSL tunnels. These might not be long-term solutions, but many clients have been able to get exemptions and pass an audit if they truly show that they are securing data this way while they implement long-term fixes,” continued Arias.
Maintaining and securing a legacy system has its own associated cost that can accumulate significantly over time. Camejo concluded with this final piece of advice, “Organizations need to weigh the real costs of keeping a legacy system around. They are often kept online due to the cost and difficulty of purchasing and migrating to new software, but when compared to the cost of the extra security that should be put in place to defend these system, or the potential cost of a breach if the system is not defended, it may turn out that upgrading to modern technology is actually the cheaper route after all.”