Light Dark
April 11, 2017 By Doug Franklin 4 min read

Legacy systems and platforms that are no longer supported can pose a serious risk to businesses. It’s a good time to consider the security risks that can come with obsolete technology. For example, Windows Vista will not be supported moving forward, meaning no future security updates or functionality fixes. Leaving legacy, unsupported systems deployed in your organization presents risks that will only expand over time.

End-of-Life, Beginning of Increased Risk

End-of-life technologies lie at the root of extensive and well-documented security risks. For example, cybercriminals could exploit a single unpatched Vista system to provide a base for compromising an entire network. The more unsupported systems in the organization, and the longer they’ve been unsupported, the greater the risks they present.

The recent disclosure of a remote code execution (RCE) vulnerability in Microsoft’s Internet Information Server (IIS) version 6 and proof-of-concept (PoC) exploitation code provide a timely example. As reported by PCWorld, extended support for IIS 6 ended in July 2015. Since that was nearly two years ago, you might think those systems would have been upgraded by now. However, “independent web server surveys suggest that IIS 6.0 still powers millions of public websites” on at least 300,000 public servers.

Evidence of exploitation of this IIS 6 vulnerability dates back to at least mid-2016, over a year after the final retirement of Microsoft Windows Server 2003 and its dependents, such as IIS 6. Now that fraudsters have a PoC to take advantage of the flaw, more attackers are likely to use the technique.

It’s not just an issue for servers that face the internet, either. Once attackers develop a foothold in the network, these sorts of vulnerabilities provide easy methods to expand their holdings. Attackers can use them to compromise the IIS 6 server, extract intelligence from it, and use that and its resources to compromise additional systems and perhaps escalate privileges. If the IIS 6 server machine hosts other server processes, those processes and their data are also at risk.

It’s not only about internet-facing assets either — every system counts. Last summer, cybercriminals gained access to the SWIFT networks. Most of them did not directly attack the systems implementing the SWIFT protocol. Rather, they focused on ancillary systems that could generate and validate SWIFT transactions, then covered up the tracks after the fraudulent transaction was processed. Attackers don’t have to break into a bank vault to steal money that’s kept under a mattress.

Dealing with End-of-Life Technology in Your Infrastructure

How should organizations deal with end-of-life technologies? Protection starts with the basics of risk management and technology planning. Companies must actively manage risks related to maintaining and securing obsolete systems versus the cost of upgrading. Vendors generally provide plenty of notice of end-of-life milestones, but it’s best to consider these issues, even during the design of the system, and keep an eye on them.

The potential risks can be significant, but so can the costs. Ask yourself the following questions:

  • How many Vista machines are still in your network?
  • What do they do in terms of your business?
  • What systems do they communicate with?

Once you have the inventory, the next step is a basic risk and cost analysis:

  • What’s the risk if they’re ever compromised?
  • What’s the cost to update them and their applications?

The organization must consciously weigh the expense of keeping an outdated platform running and secure versus the costs of moving to newer platforms. We’ve all heard stories about organizations spending money to keep an obsolete solution limping along when they could have easily funded a replacement system and avoided the risk of an orphaned platform.

This happens surprisingly often for unsung systems that turn out to be critical to business operations. Sometimes the systems were developed by third parties under contract, and sometimes the people who created these systems have left the company. In either case, those who are left are afraid to touch anything for fear of breaking the business. Employees often fail to update these machines while support is still available due to the danger of breaking them. But think about the risk that adds to your operations and disaster recovery procedures.

Ousting Obsolete Technology

A few years down the road, you don’t want to be dealing with a vulnerability on your creaky Vista systems. Ideally, change-of-platform planning starts during the design process for these systems. Failing that, the vendor’s end-of-life announcement provides a wake-up call that it’s high time to start planning transitions for all of your systems, clients, servers, and those invisible back-end and interconnected systems toiling away in a closet or an ancient rack, surrounded by a halo of dusty patch cables.

It’s not just your IT staff that needs to keep up with these things. If you develop internal applications or systems, or contract for their development, you’re on the hook. One day, those systems will require code changes to make a platform transition just to keep them running on a platform that still gets security updates.

The issues with end-of-life technologies are far more complex than they appear at first glance. The size and diversity of the IT industry means that products and technologies sunset regularly. As a result, conscious planning for these transitions is critical. This includes maintaining an inventory that thoroughly maps the connected systems and identifies the value of their contents and activities so that you can reasonably assess and manage the costs and risks, just as you do for the systems that are front and center before your customers and staff.

 |  |  |  |  |  | 
Doug Franklin
Research Technologist, IBM Security X-Force

More from

July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature