Are legacy systems your Achilles heel?

There are two particular dates from earlier in the year that stick in the minds of many of our readers — 9 April and 9 July. Why? Because they were what many consider the end-of-life dates for two significant and widely deployed Microsoft operating systems; Windows Embedded POSReady 2009 (the final Windows-XP-SP3-based OS) and all flavours of Server 2008, respectively.

Technically, those dates mark the end of Extended Support, and as both products moved into Extended Security Update (ESU) periods, they are not really end-of-life dates — at least, not for those who can afford to pay. ESU is an added-cost support option under which Microsoft endeavours to provide updates or mitigations for serious security vulnerabilities uncovered in the supported products for three years past their end of Extended Support.

But what does all this have to do with your company’s IT security stance? Aside from perhaps having alerted you to support options you’re unlikely to afford, it should direct your attention to two important questions — do you have any systems still running those OSes, and what are the equivalent issues for the OSes in all the other devices that are connected to your network?

Legacy devices might still be greatly useful and valuable. Point-of-Sale systems and “kiosk” style devices may have life cycles equal to or longer than the ten-year period typically covered by the free Mainstream Support and Extended Support periods of legacy Microsoft OSes (Windows 10 introduced significant changes in the way Microsoft supports its flagship OS). Further, specific models may be sold for years after they are initially designed, meaning new devices may ship with OSes that are already well into that ten-year support window.

If you have such devices and replacing them is uneconomic (imagine a CnC milling machine or similar) you might at least be able to put them on isolated networks, air-gapped from the internet and your other critical administration and production networks. For some devices this may be more problematic, as network access from arbitrary client machines might be a significant part of the value proposition of the device (imagine a high-volume, extremely fast printer). However, you may be able to abate the risks of it unavoidably running an outdated OS with strict firewalling that only allows access to its HTTP management interface.

The larger and more obvious devices, and those running Microsoft OSes, will probably be well-known and their OS support status readily determined, but that leads us to the second of those questions above — what are the equivalent issues for the OSes in all the other devices that are connected to your network? What OS runs your IP cameras? What version? When was their firmware last updated? Did all of them receive those updates? What application software sits atop that OS? A webserver? Some custom or OTS management software? Telnet access? Other remote access? Are there hardcoded or other backdoor accounts that can access the management software, video streams or even the OS via one or more of those interfaces?

What about the network video recorder those cameras connect to? Do you know the answers to all the same questions for it? Or do these cameras have to be connected to the internet to be managed via some cloud-based control panel? What else could go wrong with that?

What about the smart building devices in your offices such as the thermostats, smoke/fire detectors, door access card or key readers, smart locks, air quality monitors and so on? Do you know the answers to the above questions for all those devices? Would you even know where to start to find those answers?

Aside from the obvious computers in your network, such as your servers, desktops, laptops, tablets and smartphones, which are probably fairly modern and automatically updating their OSes and even their critical applications, what is the status of all those less obvious, even hidden, computers? The more obvious stuff such as network printers, hardware firewalls and routers, and so on are probably also managed and maintained, but what about all those others? The odds are high that many of them are running old versions of Linux with far too many services enabled and at least a few of those will have other overly permissive configurations and/or built-in backdoors.

If you are worried that the security of your network may be weakened due to the presence of legacy systems — and you should be — then maybe you should be sweating the small stuff. Don’t let the dates of 9 April and 9 July continue to haunt you — take proactive steps to move forward and protect your business today.

*Nick FitzGerald is a Senior Research Fellow at ESET, a pioneer in the field of Internet cybersecurity. Today, ESET protects more than 110 million users worldwide with leading antivirus and firewall solutions.

Image credit: ©stock.adobe.com/au/saikorn