April 11, 2017 By Doug Franklin 4 min read

Legacy systems and platforms that are no longer supported can pose a serious risk to businesses. It’s a good time to consider the security risks that can come with obsolete technology. For example, Windows Vista will not be supported moving forward, meaning no future security updates or functionality fixes. Leaving legacy, unsupported systems deployed in your organization presents risks that will only expand over time.

End-of-Life, Beginning of Increased Risk

End-of-life technologies lie at the root of extensive and well-documented security risks. For example, cybercriminals could exploit a single unpatched Vista system to provide a base for compromising an entire network. The more unsupported systems in the organization, and the longer they’ve been unsupported, the greater the risks they present.

The recent disclosure of a remote code execution (RCE) vulnerability in Microsoft’s Internet Information Server (IIS) version 6 and proof-of-concept (PoC) exploitation code provide a timely example. As reported by PCWorld, extended support for IIS 6 ended in July 2015. Since that was nearly two years ago, you might think those systems would have been upgraded by now. However, “independent web server surveys suggest that IIS 6.0 still powers millions of public websites” on at least 300,000 public servers.

Evidence of exploitation of this IIS 6 vulnerability dates back to at least mid-2016, over a year after the final retirement of Microsoft Windows Server 2003 and its dependents, such as IIS 6. Now that fraudsters have a PoC to take advantage of the flaw, more attackers are likely to use the technique.

It’s not just an issue for servers that face the internet, either. Once attackers develop a foothold in the network, these sorts of vulnerabilities provide easy methods to expand their holdings. Attackers can use them to compromise the IIS 6 server, extract intelligence from it, and use that and its resources to compromise additional systems and perhaps escalate privileges. If the IIS 6 server machine hosts other server processes, those processes and their data are also at risk.

It’s not only about internet-facing assets either — every system counts. Last summer, cybercriminals gained access to the SWIFT networks. Most of them did not directly attack the systems implementing the SWIFT protocol. Rather, they focused on ancillary systems that could generate and validate SWIFT transactions, then covered up the tracks after the fraudulent transaction was processed. Attackers don’t have to break into a bank vault to steal money that’s kept under a mattress.

Dealing with End-of-Life Technology in Your Infrastructure

How should organizations deal with end-of-life technologies? Protection starts with the basics of risk management and technology planning. Companies must actively manage risks related to maintaining and securing obsolete systems versus the cost of upgrading. Vendors generally provide plenty of notice of end-of-life milestones, but it’s best to consider these issues, even during the design of the system, and keep an eye on them.

The potential risks can be significant, but so can the costs. Ask yourself the following questions:

  • How many Vista machines are still in your network?
  • What do they do in terms of your business?
  • What systems do they communicate with?

Once you have the inventory, the next step is a basic risk and cost analysis:

  • What’s the risk if they’re ever compromised?
  • What’s the cost to update them and their applications?

The organization must consciously weigh the expense of keeping an outdated platform running and secure versus the costs of moving to newer platforms. We’ve all heard stories about organizations spending money to keep an obsolete solution limping along when they could have easily funded a replacement system and avoided the risk of an orphaned platform.

This happens surprisingly often for unsung systems that turn out to be critical to business operations. Sometimes the systems were developed by third parties under contract, and sometimes the people who created these systems have left the company. In either case, those who are left are afraid to touch anything for fear of breaking the business. Employees often fail to update these machines while support is still available due to the danger of breaking them. But think about the risk that adds to your operations and disaster recovery procedures.

Ousting Obsolete Technology

A few years down the road, you don’t want to be dealing with a vulnerability on your creaky Vista systems. Ideally, change-of-platform planning starts during the design process for these systems. Failing that, the vendor’s end-of-life announcement provides a wake-up call that it’s high time to start planning transitions for all of your systems, clients, servers, and those invisible back-end and interconnected systems toiling away in a closet or an ancient rack, surrounded by a halo of dusty patch cables.

It’s not just your IT staff that needs to keep up with these things. If you develop internal applications or systems, or contract for their development, you’re on the hook. One day, those systems will require code changes to make a platform transition just to keep them running on a platform that still gets security updates.

The issues with end-of-life technologies are far more complex than they appear at first glance. The size and diversity of the IT industry means that products and technologies sunset regularly. As a result, conscious planning for these transitions is critical. This includes maintaining an inventory that thoroughly maps the connected systems and identifies the value of their contents and activities so that you can reasonably assess and manage the costs and risks, just as you do for the systems that are front and center before your customers and staff.

More from

Brands are changing cybersecurity strategies due to AI threats

3 min read -  Over the past 18 months, AI has changed how we do many things in our work and professional lives — from helping us write emails to affecting how we approach cybersecurity. A recent Voice of SecOps 2024 study found that AI was a huge reason for many shifts in cybersecurity over the past 12 months. Interestingly, AI was both the cause of new issues as well as quickly becoming a common solution for those very same challenges.The study was conducted…

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today