If there’s one thing that exposes devices and other assets significantly to increased vulnerability, it’s stretching their lifetime way beyond that was originally intended in their original development and subsequent release. Like humans, these assets are not designed to go on forever – similarly, gone are the days when you could buy a domestic appliance, and have it last 20 years. The manufacture process for electrical devices has changed over the years, and the reduction in cost to make them more appealing to the consumer inevitably means that the affected equipment has a dramatically reduced lifespan. Much of this theory can be attributed and applied to any assets that are designed for a security function – they were fit for purpose at the time of implementation, and received a number of updates to ensure that the protection they offered remained consistent and reliable. But, as with all technology these days, the intended production cycle for such devices is often exceeded well beyond what their life expectancy should be.
One of the most common phrases you often hear when considering replacing something is
If it ‘aint broke, don’t fix it.
I’ll admit that if existing assets work well, and are sufficiently supported to maintain that particular function going forward for a considerable period (think Linux and the “Long Term Support” cycle), then perhaps your budget could be better spent elsewhere. However, smaller businesses often demand every ounce of flesh from any technology they purchase, and are generally either not financially equipped or management are simply unwilling to invest in modern technology in order to replace assets that are outside of what is considered realistically fit for production. I once worked for a company where they expected 5 years minimum out of a humble PC – this doesn’t sound like too much of a stretch for a machine sitting on the desk performing basic tasks, but it is when you place it in a factory full of dust. You could of course replace the SATA HDD with an SSD and gain both a significant speed improvement and a reduction in “moving parts fatigue”, but what about the chassis fan and power supply ? Let’s also not forget that most modern graphics cards also have a fan. Arguably more important is the need to consider the lifespan of the operating system and associated software that is running on the affected hardware. The machine when purchased may have been “new”, but the operating system itself could be into it’s third year, and may be unsupported much quicker than any business originally intended. From the PC perspective, getting a new operating system to replace an old one isn’t exactly a difficult task, but how does the above affect assets such as those devices that perform security related functions ?
Poor security hygiene as a result of legacy systems
I’ve been in various roles over the course of my career, and I’ve seen some “interesting” security practices (yes, there is a hint of sarcasm here). I once worked for a manufacturing facility that prior to my arrival, had suffered a catastrophic hardware failure within their old Cisco PIX firewall. Rather than replace it with a newer model, they (and I find it really hard to explain how this could ever provide sufficient protection within a commercial environment) replaced it with a PC running Windows 2000 Server with Zone Alarm – a software based firewall. Yes, I agree it is still a “firewall” as such, but it’s software based, and designed for the consumer market with at best, a small home network. Who would really consider such a product fit to control the internet gateway of any business ? I recalled this event during a recent discussion around IT budgets and used the ineffectiveness paradigm to explain why no business in their right mind should ever consider taking this route, going “cheap”, and paying the ultimate “modern” penalty in terms of data leakage or a breach. Interestingly, that very machine running Windows 2000 Server also played host to Microsoft Exchange Server 5.5 – it was also hacked within a month, had Dameware Mini Remote Control installed on it, and was being used for all sorts of illicit purposes thanks to the on board mail capability. Admittedly, this was long before Cyber Security, Data Leakage, and Data Breach became commonplace, so the damage caused in terms of business reputation was low. – if not non-existent. These days, this is certainly no longer the case, and any assets that are past their sell by date should be replaced as soon as your IT budget permits
Having thought a little more about this incident, I wondered how many businesses out there were using hardware and software that in reality should only be fit to act as a door wedge at best. In a recent trip to a medical practice, they proudly announced in their newsletter that they had replaced their old ERG (electroretinogram) machine with a newer one that was not reliant on WindowsXP. Interesting concept – this operating system was announced as End Of Life on the 14th of April, 2014 ! Given that this system is also network enabled, contained information around patient data, and would have undoubtedly been in scope under HIPAA regulations in terms of data protection, how was this legacy device allowed to continue operation for such an extended period of time ? With all the media attention around WannaCry and the NHS being hit owing to their extended use of Windows XP, you would have thought that such assets would be in scope for immediate replacement once they no longer received security updates, or were no longer supported by the vendor.
Those new to the security field may be wondering what all the fuss is about – let me explain.
Consider a school of Piranhas. These flesh-eating fish can strip an animal down to a carcass in minutes – sometimes seconds. Individually, the fish would take a considerable amount of time to finish a meal as large as this, but a school can accelerate such an attack to the point where they are “in and out” in an alarmingly short period of time.
The End Of Life Assets Paradigm
And so comes the paradigm; if you leave your End Of Life assets long enough without significant protection, you are essentially exposing them to an unprecedented level of attack from cyber criminals. These assets could then be used as a gateway to gain access to other information inside your network. Understandably, organisations these days are looking to reduce operational cost, and get more for their money in terms of their assets. This is known as “sweating”, or pushing the device to it’s limit until it really needs to be replaced before it fails completely. Whilst this yields significant financial benefit, it dramatically hinders the effectiveness of the security that particular device offers as the amount of time between the item no longer being supported and maintained to it actually ceasing to operate means that the security is significantly diluted. This creates a huge window of opportunity for cyber criminals to discover and leverage any weaknesses identified in the affected system. There are no planned releases from a security perspective to plug new holes found in this ship, and any attacker who stumbles across any public facing assets that are well outside of their supported life cycle would not experience too much difficulty identifying and exploiting weaknesses.
Assets in the form of hardware are not the only focus. Software that is old and dated will suffer from the same exploits time and time again if no further patches are being released by the software vendor. To any potential criminal, this is like the gift that keeps giving. As a classic example, there are multiple known vulnerabilities in (as an example) Adobe products. These appear literally on a daily basis, therefore, the old methods of purchasing software outright are no longer attractive once the vendor decides to pull the plug on that version. Adobe has changed it’s licensing of late, making it more appealing to “rent” software on a monthly basis. This not only reduces the overall cost, but also tightens up on security as the rolling platforms are patched on a regular basis, and most software houses are taking the “Software as a Service” route in order to combat both the spiralling cost of complete ownership, and the overall security of their products. As a side comment, using outdated or obsoleted software and / or hardware also negates business growth owing to the limitations they impose. Such example areas that could be impacted are data analysis, communications, decision making, and worse still, an overall loss of being able to compete in your industry.
Lastly, there’s the reputation damage. If your clients find out that you have been the victim of a data breach as a result of ageing hardware or software, this is likely to cause both widespread embarrassment, and in the financial industry, unprecedented panic as investors could begin to lose confidence in your ability to secure their information (and money).
The bottom line here is that if you have production technology that is End Of Life, you are placing your data and associated infrastructure at significant risk. Below are some of the critical areas that are affected by the multiple vulnerabilities dated technology can contain:
Security and operating systems.
With End Of Life technology, patches, bug fixes and security updates will simply cease to exist. As a result, your product security is is dramatically affected, as newer exploits will not be rectified. Your organisation’s security is compromised, and with this ageing technology, there is no “quick fix” either. Vendors will no longer offer remediation, as this is now considered outside of their development road map – you have to remember that vendors of software and hardware are looking to innovate – not drive in reverse. Using Microsoft as an example, PCs running WindowsXP can be vulnerable to malware, and these can impact newer versions of Microsoft products, including Windows 7 and Windows 10. However, Windows 7 (for a limited lifetime) and newer systems are likely to receive prompt attention.
Operating a business with inadequate security has other major pitfalls. Cyber criminals can infiltrate networks, wreak havoc on critical infrastructure and steal sensitive information. The impact from unsecured hardware and software can be disastrous and includes
- Costly data loss relating to strict, tough, and imposed fines
- Exposure of corporate and personnel data that is classed as personally identifiable
- Theft of intellectual property – considering your business may have several proprietary business models and algorithms , this could be extremely damaging.
- Complete network failure and the potential for legal action
- Hardware support and maintenance risk.
While some vendors offer extended support for older technology, this really is the necessary indication and impetus for you to upgrade to a platform that is up to date, and more importantly, supported by the vendor.
Legal, regulatory and compliance risk.
Organisations that rely on obsolete hardware and software can face heavy fines and even legal action if they do not comply with government or industry regulators – particularly if a data breach occurs resulting from the use of older technology. In this sense, the regulator is very likely to form the opinion that the breach could have been avoided by replacing the vulnerable and obsolete assets
Reliability and associated financial risks.
Outdated hardware is susceptible to failure and becomes less reliable as time goes by. Extending a lease for a photocopier (for example) seems like a good way of cutting costs, although trading old for new equipment at the end of a lease is a much better idea – not only does your organisation gain access to the latest technology – it is also covered from both the mechanical and updates perspective.
In Summary, assets that are classed as End Of Life can actually cost your business dearly – and not only from the financial perspective. Based on this, does your old server or firewall still look as appealing as it did before you read this article ?