It’s a Good Time to Review the Security Risks of Obsolete Technology

Legacy systems and platforms that are no longer supported can pose a serious risk to businesses. It’s a good time to consider the security risks that can come with obsolete technology. For example, Windows Vista will not be supported moving forward, meaning no future security updates or functionality fixes. Leaving legacy, unsupported systems deployed in your organization presents risks that will only expand over time.

End-of-Life, Beginning of Increased Risk

End-of-life technologies lie at the root of extensive and well-documented security risks. For example, cybercriminals could exploit a single unpatched Vista system to provide a base for compromising an entire network. The more unsupported systems in the organization, and the longer they’ve been unsupported, the greater the risks they present.

The recent disclosure of a remote code execution (RCE) vulnerability in Microsoft’s Internet Information Server (IIS) version 6 and proof-of-concept (PoC) exploitation code provide a timely example. As reported by PCWorld, extended support for IIS 6 ended in July 2015. Since that was nearly two years ago, you might think those systems would have been upgraded by now. However, “independent web server surveys suggest that IIS 6.0 still powers millions of public websites” on at least 300,000 public servers.

Evidence of exploitation of this IIS 6 vulnerability dates back to at least mid-2016, over a year after the final retirement of Microsoft Windows Server 2003 and its dependents, such as IIS 6. Now that fraudsters have a PoC to take advantage of the flaw, more attackers are likely to use the technique.

It’s not just an issue for servers that face the internet, either. Once attackers develop a foothold in the network, these sorts of vulnerabilities provide easy methods to expand their holdings. Attackers can use them to compromise the IIS 6 server, extract intelligence from it, and use that and its resources to compromise additional systems and perhaps escalate privileges. If the IIS 6 server machine hosts other server processes, those processes and their data are also at risk.

It’s not only about internet-facing assets either — every system counts. Last summer, cybercriminals gained access to the SWIFT networks. Most of them did not directly attack the systems implementing the SWIFT protocol. Rather, they focused on ancillary systems that could generate and validate SWIFT transactions, then covered up the tracks after the fraudulent transaction was processed. Attackers don’t have to break into a bank vault to steal money that’s kept under a mattress.

Dealing with End-of-Life Technology in Your Infrastructure

How should organizations deal with end-of-life technologies? Protection starts with the basics of risk management and technology planning. Companies must actively manage risks related to maintaining and securing obsolete systems versus the cost of upgrading. Vendors generally provide plenty of notice of end-of-life milestones, but it’s best to consider these issues, even during the design of the system, and keep an eye on them.

The potential risks can be significant, but so can the costs. Ask yourself the following questions:

  • How many Vista machines are still in your network?
  • What do they do in terms of your business?
  • What systems do they communicate with?

Once you have the inventory, the next step is a basic risk and cost analysis:

  • What’s the risk if they’re ever compromised?
  • What’s the cost to update them and their applications?

The organization must consciously weigh the expense of keeping an outdated platform running and secure versus the costs of moving to newer platforms. We’ve all heard stories about organizations spending money to keep an obsolete solution limping along when they could have easily funded a replacement system and avoided the risk of an orphaned platform.

This happens surprisingly often for unsung systems that turn out to be critical to business operations. Sometimes the systems were developed by third parties under contract, and sometimes the people who created these systems have left the company. In either case, those who are left are afraid to touch anything for fear of breaking the business. Employees often fail to update these machines while support is still available due to the danger of breaking them. But think about the risk that adds to your operations and disaster recovery procedures.

Ousting Obsolete Technology

A few years down the road, you don’t want to be dealing with a vulnerability on your creaky Vista systems. Ideally, change-of-platform planning starts during the design process for these systems. Failing that, the vendor’s end-of-life announcement provides a wake-up call that it’s high time to start planning transitions for all of your systems, clients, servers, and those invisible back-end and interconnected systems toiling away in a closet or an ancient rack, surrounded by a halo of dusty patch cables.

It’s not just your IT staff that needs to keep up with these things. If you develop internal applications or systems, or contract for their development, you’re on the hook. One day, those systems will require code changes to make a platform transition just to keep them running on a platform that still gets security updates.

The issues with end-of-life technologies are far more complex than they appear at first glance. The size and diversity of the IT industry means that products and technologies sunset regularly. As a result, conscious planning for these transitions is critical. This includes maintaining an inventory that thoroughly maps the connected systems and identifies the value of their contents and activities so that you can reasonably assess and manage the costs and risks, just as you do for the systems that are front and center before your customers and staff.


Doug Franklin

Research Technologist, IBM Security X-Force

Doug Franklin is a Research Technologist at IBM Security Systems X-Force. Doug looks at the broad spectrum of threats,...