Most of the attacks on workstations and servers are carried out via breaches for which a patch has already been issued. WannaCry, ransomware from 2017, is one of the best-known examples of this. The implementation of patches is therefore still one of the best defensive measures in cyber-security. But what if security updates are no longer available? Every couple of years we are dealing with the expiry of support cycles of hardware and software manufacturers worldwide. Microsoft Windows is, perhaps, the best-known example of it. In 2014, this was picked up widely with Windows XP, and at the beginning of this year, the expiry of support for Windows 7 was also highlighted extensively.
The most obvious option is to replace the aged software with a newer version that is supported with patches and updates. But this is easier said than done and this is mostly related to available time and available budget.
Three examples why replacement is not that easy:
It is not an individual PC, but the PC is part of a technical installation.
Medical equipment, e.g. a CT or MRI scanner, is usually delivered with its own PC and operating system. They are inextricably connected and the replacement of the one also implies the replacement of the other. The financial and technical life cycle of the equipment is usually longer than that of the also delivered PC. The test procedures for replacement of this kind of equipment is also a long and labour-intensive process. Comparable challenges can also be observed in process automation where technical installations occasionally remain active for 30 years and where an installation can occasionally be unique to a single business or business process.
Dependence on software
It still occurs fairly often that software is being used that can no longer be updated because the supplier no longer exists or because the employee who developed it has left the employment. If these applications are sufficiently business specific, then the replacement of this software is very difficult without – occasionally rigorous – adjustments of working methods.
Complex IT landscape
Within official authorities, standardisation is applied as much as possible in terms of a single operating system on which all applications run. For many municipalities this regards hundreds of applications. The replacement of the operating system means testing all these hundreds of applications on the new operating system. Often, the testing shows that a number of applications need to be replaced. A project of many months and many hundreds of man-hours.
Instead of looking at the (im)possibilities of replacing the aged systems, in this blog we address the possibilities of handling these kinds of situations. Not to remove the problem – in time replacement will still be the best solution – but to bridge the interval in a secure manner. The approach for this is the reduction of risks by reducing either the chance or the impact.
Network segmentation, where the vulnerable parts only have the network access that is strictly required, assists in reducing risks. The chance that a properly isolated system is infected is smaller. Because of the segmentation, the impact on other parts of the network is also smaller. Because vulnerabilities can also move laterally in a network, separation from the internet alone is not enough; network segmentation is also a best practice internally. For aged systems it is important to make this segmentation even more intricate. With Network Access Control you prevent other equipment from having (unintentional) access to a network (segment). This way, you always maintain insight into what equipment is active in what segment.
Despite the imposed measures, e.g. a virus scanner and the aforementioned network segmentation, it may be that vulnerable systems are attacked or compromised. In these situations, it is important that this is recognised as soon as possible; only then can you intervene to reduce the impact. Good threat intelligence that can be applied without dependence on the aged system is indispensable in this respect. The protection at network level and not on the host itself is thus a logical choice.
Finally, it is important to properly deal with detected vulnerabilities. The chance that aged software is attacked is considerable; by intervening on a compromised piece of equipment in a fast and automated manner you prevent escalation. This way, you reduce the impact further and therefore also the effect on your business operations. In this respect, it is of paramount importance that the way of intervention is in line with the business operations. What action can be taken for what components in order to have as few adverse effects on the business operations as possible? This can vary from isolation on a network, the alarming of those responsible, or manipulation of a process via an API. It is important that the measure is in line with the business operations.
With the addition of protection at network level, the risk brought about by aged systems can be reduced. This way, you can work on the replacement of these systems at your own pace.