We know, it’s not your fault. You joined a financial services firm and inherited processes, software and systems that were installed by your predecessor, if not before. Given the choice we know you would like a fresh start; but budgets, internal politics and potential disruption often make it difficult to upgrade and put alternative solutions in place.
If this sounds familiar, we have some ammunition for you. Just whisper ‘Equifax hack’ and you may soon have your company’s key decision makers’ attention. Last month the credit monitoring company went public on a massive data breach that compromised 143 million US consumer accounts and 400,000 UK residents. Where did the breach originate? Through a web-application vulnerability, which had a patch available.
Apache Struts, the web-application software vendor, disclosed that vulnerability in March; and a patch, advice and instructions offered to all users. René Gielen, vice president of Apache Struts said, “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”
While this may have been an oversight or lax cyber security procedures, this breach highlights a particular problem. Not only do legacy systems increase the risk of a cyber attack because of bugs and vulnerabilities that go unpatched, but also hackers are increasingly looking to exploit these flaws.
How hackers exploit legacy systems
If a software company has disclosed a vulnerability and issued a patch, you can bet that there are hackers already targeting companies that use that software. They know that patching vulnerabilities can take time; many businesses and organisations have policies that mean patches need to be tested before they can be installed. Moreover, there will be some who don’t get round to it for one reason or another, giving hackers plenty of opportunity to breach their systems.
Legacy systems can also have inherent security issues; such as default or hardcoded passwords. These predate our current cyber threat landscape – in some cases even the Internet itself – and hark back to a time when personal data didn’t have the currency it has today. These are typically privileged passwords, as they require high-level access, and often companies don’t even know they exist. This means that they also don’t know when they are used, until something goes wrong.
Hackers can find these passwords easily as they were often included in product documentation, and lists of these can be readily bought online. Even software that predates the cloud can be vulnerable if it is now connected to the Internet through your IT infrastructure and network.
The ever evolving threat landscape also means that cyber security solutions can provide criminals with an opportunity. If the tools being deployed are not robust enough, there may be gaps in your security protection. New threats are constantly being developed to exploit these gaps, gaps that legacy cyber security software was never designed to protect.
As the Equifax hack demonstrates, if using legacy systems, they must be part of proactive cyber security and data protection procedures. This should involve a clear understanding of the risk of an attack and potential damage should one occur, the type of threats that the software is vulnerable to, and what solutions are being used to protect it. Threat monitoring tools should be part of this solution, alerting you to any attempts to hack your systems and identifying the biggest risks to your business.
If you’re concerned that legacy systems could be putting your organisation at risk, get in touch with our security experts to discuss further ways to protect your business critical systems. Call +44 (0)203 195 4479 or email firstname.lastname@example.org
By Ian McGregor, CRO, Invinsec