Cyber Blog - Published 21.9.2017

Forgetting to update old IT systems makes you wanna cry

Mikko PeltonenPeople tend to like new and shiny things. When a kid gets a new toy, he forgets an old favourite and starts to neglect it – just like Woody thought Buzz Lightyear would replace him as in the original Toy Story.

Surprisingly, in corporate IT it seems that old still trumps new. Gartner has calculated that 60 to 80 percent of the companies’ IT spending goes towards supporting old systems and applications. The problem is, many of these so-called legacy systems may already be unsupported and don’t receive any software or security updates.

This presents a huge security risk. If there’s going to be no more batches for new security vulnerabilities, the attackers have an easy task to break in.

The outbreak of WannaCry ransomware last May proved that even newer systems are at risk if they are not being properly looked after. Almost all victims were running a relatively current Windows 7 operating system.

The batch for the vulnerability had been published in March, almost two months before the attack. Still, WannaCry was able to infect over 230,000 computers in 150 countries, causing much trouble. It even put lives potentially at risk, as hospitals in England had to disconnect the systems and resort to using pen and paper.

Take good care of your IT

According to a report by IBM, the top-5 most attacked industries are healthcare, manufacturing, financial services, government, and transportation. Many companies and organizations in these sectors also rely quite heavily on legacy IT.

Legacy systems will still be around for a long time. Updating IT is hard, costly, and prone to errors. Why take the risk of failure, if it works? But even though there are legitimate reasons for running old applications, WannaCry and similar attacks should be able to convince even the most cynical IT manager that there are no shortcuts in security.

In IT, install-and-forget isn’t a recommendable practise. All systems need active updating and proactive approach to security. Software that was secure when taken into use may become a security risk as the time goes by. It’s too late to react when criminals have already hijacked your critical systems.

Five steps for a better security in legacy systems

What’s the best way to keep out of harm’s way, then? There are some steps you can take that will help a long way:

  • Find out what old and vulnerable computers are still in use in your company. Are they part of the network or standalone machines? You can run a vulnerability scan to see how the possible attacker would see your network
  • Assess the importance of legacy machines to your business. What would happen if you switched them off? Is there a newer and more secure alternative? What would be the cost of replacing them?
  • Harden the security of legacy systems by minimizing the attack surface, i.e. the number of points the attacker can use to compromise the system. Allow access only for people who really need to use the system
  • If possible, shield the legacy systems on a network level with e.g. Intrusion Protection Systems and Firewalls
  • Don‘t forget your systems! Updating legacy may be hard but it’s no reason to skip security. WannaCry should’ve taught everyone this. Constant monitoring and assessment are very much needed.

At the end of Toy Story, the old favourite toy Woody and the new rival Buzz Lightyear became friends and went together towards new adventures. If you take good care of your legacy systems, they can also have a peaceful and secure coexistence with the more cutting-edge solutions.

Mikko Peltonen, Lead Solution Architect, Tieto Security Services