By Kyle Barnes | Penetration Tester at Nettitude
Penetration Testing is an important tool in any organisations’ security arsenal. There are various types of Pen Testing, ranging from network scans and web application tests to social engineering and red team engagements. One of the most important aspects of Penetration Testing is examining Legacy Systems and legacy software. As older technologies have been available for researchers and cybercriminals to scrutinise for longer periods of time, this is one reason why they often contain more known vulnerabilities. However, the chances are that if the cybersecurity experts know about these vulnerabilities, then there’s a very good chance that the cyber-criminals do too. Legacy Systems, either within an internal network or publicly facing, are often the first targeted and can lead to a devastating attack.
Here’s what you need to know about protecting your Legacy System…
What is a Legacy System?
For our purposes, a Legacy System is any system that is currently in use within your enterprise which has reached end of life for support. Any Legacy System that currently is accessible to users or accessible via your network can be included in this bracket.
Windows XP was released in 2001, and was one of the most widely used operating systems across any business. Official support ended for Windows XP in 2014, meaning it had reached “End of Life” (EOL) and would not receive any further security updates from Microsoft. Windows XP currently has over 200 known critical vulnerabilities (CVSS score 9.0 and above), many of which were discovered after official support had ended. Searching for “Windows XP” on Shodan shows over 12,000 results.
So why are there so many of these extremely vulnerable Legacy Systems still in use?
Why do we still use Legacy Systems?
Legacy Systems often exist because they are too hard to replace. Perhaps a bespoke, business critical piece of software is designed for a Legacy System, and is still required to be used daily. Sometimes, due to their age, they lack key technical specifications which mean they are hard to replace.
Integrating your Legacy System into a secure network
Legacy System integration into a secure network can reduce the security posture of an entire organisation. However, this does not just apply to Windows operating systems. Detailed below are some examples of how Legacy Systems are used today, and why they can present substantial risk to an organisation:
- Legacy Systems using simple terminals such as MS-DOS appear more secure than modern applications because of a lack of functionality. The terminal has little processing power, and user interaction is limited by the system.
- Once the desktop computer became popular, system developers started building systems that were more focused on this. These systems used the computing power on the machine, installing applications and software which may also contain vulnerabilities.
- Utilising a web browser for processing has become increasingly more popular, but the principle remains the same. A browser makes a request to a web server, and the web server responds with the specific page. The browser’s request can contain information that it wants the web server to retain indefinitely, such as password change requests, orders and so on.
- Systems using web browsers are extremely common within many large businesses. Some are public facing, and accessible from the internet. Others hosted on an internal network, with stringent security controls to prevent sensitive information being disclosed.
What is the benefit of Pen Testing your Legacy System?
Identifying, testing and patching Legacy Systems on networks with hundreds or thousands of machines can seem an impossible task. Penetration Testing shows its real value in these scenarios. A skilled consultant can assess networks to find vulnerable Legacy Systems, examine the risk that they pose to the business and formulate a plan of action. This can be difficult, as removing or mitigating the risk from any Legacy System carries significant overhead. Options include segregating the machine into its own portion of the network to prevent access by unknowing users, changing configurations to harden the Legacy System, or identifying security patches which can be used to improve the robustness of the Legacy Systems security.
After a Penetration Test is complete, the organisation can work on remediation efforts and evaluate how best to address the presence of legacy or vulnerable systems or components. Not only does this allow a business the opportunity to make immediate improvements, but also allows a priority list to be developed, highlighting the most dangerous network components (often Legacy Systems) so changes can be made incrementally with the least business overhead.
Ready to act?
Legacy systems can pose a whole load of security-risks, in which you are essentially leaving your front door open for anyone to come inside if you don’t act. As an active member of CREST, Nettitude are able to provide leading Penetration Testing services, delivered by our in-house trusted experts that have a considerable amount of experience working with legacy systems.