Mitigating the security risks of legacy IT systems

Jan. 10, 2024
Legacy IT systems require significant overhaul to meet today's compliance and security standards — a process that is both challenging and fraught with risk.

Imagine buying a hundred-year-old house. To keep your family safe, you need to update the antiquated plumbing and electrical systems to meet current building standards. But there's no existing blueprint to guide the work, and you need to keep the lights on and the water flowing during the renovation process.

This scenario mirrors the hurdles that organizations face with legacy IT systems — outdated computer hardware, applications or methods that continue to be used. For example, to support specific business processes, an organization might continue to use an old operating system like Windows 7, an old database system like Oracle 8i or SQL Server 2000, or deprecated authentication, encryption or network protocols.

Like the utilities in the old house, these legacy IT systems are actively being used, so organizations can't easily discard them. But they require significant overhaul to meet today's compliance and security standards — a process that is both challenging and fraught with risk.

Legacy IT Systems

The reality is that organizations need to uncover all hardware and software that is particularly susceptible to cyber threats. This includes any IT system no longer supported by its vendor, such as the outdated software and protocols mentioned earlier. Other examples of legacy IT systems include mainframe computers, tape-based backup systems, and systems that rely on obsolete software for which expertise is dwindling.

Beyond legacy IT systems, organizations should also uncover any systems that are not properly documented and managed by the IT department. For example, they should look for systems inherited through mergers, acquisitions or other channels, which might allegedly be documented "somewhere" outside the organization's established channels and tools.

Another key area of concern is shadow IT — computer systems that are implemented by business users without the knowledge and oversight of the IT department.

This discovery process is not a one-time event. It’s essential to keep in mind that IT systems today tend to have a rather short lifecycle — software often needs to be upgraded annually, and hardware is deemed old after approximately three years.

Security and Compliance Risks

There are plenty of documented cyberattacks in which a legacy or undocumented IT system was the source of a major data breach. These systems are easier for attackers to exploit because most vendors stop supporting older versions of their technology after a certain end-of-life date, after which no security patches are even issued.

Moreover, legacy systems not only often lack advanced security features, but they may actually be incompatible with modern security tools and techniques, which can make it difficult for organizations to detect and respond to cyber threats.

Continuing to use legacy IT systems also puts the organization at risk of compliance violations. Data privacy legislation generally requires organizations to take appropriate measures to mitigate security risks, so using outdated hardware and software is likely to result in audit findings and increased penalties in the case of a security incident.

Mitigation Strategies

To minimize the risks associated with legacy IT systems, organizations should prioritize regular system updates and prompt application of security patches, which helps keep IT systems from becoming “legacy” in the first place.

Additionally, they should conduct regular vulnerability assessments and penetration testing to identify weaknesses, including outdated hardware and software that an adversary could exploit.

More broadly, organizations should implement a comprehensive system hardening program. And since there is no IT system that is not going to drift away from its secure baseline configuration over time, they also need a robust change control process that can distinguish between planned changes (such as patching) and unwanted and potentially dangerous changes made by errant scripts or malicious actors.

Organizations should also take steps to mitigate the risk from legacy IT systems that they cannot remove. For example, by using network segmentation to isolate legacy IT systems from the rest of the network, they can limit the potential damage and speed recovery in case of a successful cyberattack on a legacy system.

Conclusion

It would be nice if everything in your IT environment were shiny and new, but that is rarely the case. Nearly every organization has legacy IT systems that it cannot simply replace, any more than you can simply rip out all the plumbing from the old house you’re living in. Instead, organizations have no choice but to secure their legacy IT systems. Fortunately, there are solutions available to address this challenge.

Dirk Schrader is Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. As the VP of Security Research, Dirk is working on focused research for specific industries like Healthcare, Energy or Finance. As the Field CISO EMEA he ‘speaks the language’ of Netwrix’ customers & prospects to facilitate a fit for purpose solution delivery. Dirk has published numerous articles addressing cyber risk management, IT security tactics and operations, and reported hundreds of unprotected, vulnerable critical medical devices to authorities and health providers around the globe.

About the Author

Dirk Schrader

Dirk Schrader is Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. As the VP of Security Research, Dirk is working on focused research for specific industries like Healthcare, Energy or Finance. As the Field CISO EMEA he ‘speaks the language’ of Netwrix’ customers & prospects to facilitate a fit for purpose solution delivery. Dirk has published numerous articles addressing cyber risk management, IT security tactics and operations, and reported hundreds of unprotected, vulnerable critical medical devices to authorities and health providers around the globe.