Old technology solutions are still in the house. It could be an old and unsupported storage system or a tape library holding the still-functional backups from over 10 years ago. This is a common scenario with software too. For example, consider an accounting software suite that was extremely expensive when it was purchased. If the vendor eventually went under, then there is no longer any support for the software, which means that the accounting solution only works on some older operating system that are not supplied with updates either.
How valuable is it to keep older solutions like this running? Well, organizations do not enjoy running old legacy systems just for the pleasure of it, but they are often forced to keep them running because it is their only option, or at least the only cost-effective option available to them. Another issue is that some of the senior staff members who were present when the original system was purchased, still refuse to let it go.
From a purely functional perspective, there is usually no problem with old technology. The technology is outdated, but it can still fulfill its role perfectly adequately. Companies continue to use old physical equipment because, after all, that old storage system is still accessible and the tapes can be read when needed.
This is the same for old software. The software might be outdated, but accounting manages all the invoices and payables using the old software with no issues at all. What is more, anecdotally anyway, older hardware lasts longer than more modern counterparts.
New hardware is more complex and thus has more breakable parts than older generations. But there is a different risk that's inherent to older hardware: it is commonly no longer supported by new operating systems, which means that running end-of-life operating systems is the only way to keep those old workhorses running. Think of accounting and manufacturing software, the entire company may have been built around these buying decisions and they run on Windows NT.
During election season "it's the economy, stupid." In the IT world, on the other hand, "it's security, stupid." Old systems are intrinsically unsecure. New vulnerabilities that affect old systems still pop up all the time, but there are no fresh updates for these end-of-life systems that protect against those new threats.
This introduces complicated consequences beyond just cybersecurity. Companies that run unsupported systems can be in breach of compliance requirements because it's impossible to meet compliance metrics for timely patching of vulnerabilities when patches are never released in the first place.
Organizations have tried many approaches to bridge the gap between the need to keep legacy systems running and the fact that there is a lack of updates for those systems. It creates a headache for IT practitioners, who have tried everything from air gapping systems to hiding systems behind multiple network-level security layers and implementing restrictive access controls around them.
What is one of the problems with running older, end-of-life systems? It is the lack of available security updates. The system is running fine and it's valuable exactly because it is running as is. The only thing missing is timely security updates. If IT professionals can find a way to apply security updates to an end-of-life system, then running that system is just the same as running an operating system launched last week, because the system fulfills its intended purpose and it does so securely.
One option, is subscribing to extended support from OS vendors who provide an extension on the period during which patches are available for their operating system version. This type of solution is not always implemented when it would be the most useful, however, because it can be expensive.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Source: https://thehackernews.com/2022/12/the-value-of-old-systems.html
Comments