With
IT budgets being squeezed in the tough economic climate many
companies will be forced to think about improving the security of
their legacy systems, Benjamin Jun, told delegates.
But
IT professionals must avoid trying to patch up legacy systems that
are clearly at the end of their working lives. “If you are being
hacked regularly, your system looks like spaghetti, and you have the
money, for goodness sake start over,” said Jun, technology VP at
Cryptography Research Inc.
Legacy
systems, particularly those supporting customer transactions such as
credit card payments, are facing tough challenges from new end user
devices, said Jun. Mobile platforms are a concern because their
technology is increasingly generic, and mobile operating systems can
be easier to compromise than other devices, he said.
However,
there are incremental changes IT security professionals can make to
legacy systems that will reduce vulnerabilities, and contain breaches
if they do occur, said Jun, who has experience in pay TV and mobile
phone security.
The
first step in a security revamp is to see consider how the most
serious security concerns can be tackled within the existing
technology infrastructure, and it has to be remembered that changes
made now may affect what changes can be made later, said Jun.
It
is essential to refresh security documentation for the revamped
system, paying particular attention to ambiguity and complexity
otherwise important security decisions could be pushed too far
downstream. Clear definitions of protocols, data structures, and
state machines should be included, he said.
Certain
database fields can be encrypted to limit the damage of data theft
should it occur, he said. A transaction handler and an audit server
are sensible additions, but effective audits of data need judgment or
they can become too time-consuming. Overall, it is important to
prioritise tasks. “Focus on what it what's hard to change later,
maximise the return on the effort,” said Jun.