With IT budgets being squeezed in the tough economic climate many companies will be forced to think about improving the security of their legacy systems, Benjamin Jun, told delegates.
But IT professionals must avoid trying to patch up legacy systems that are clearly at the end of their working lives. “If you are being hacked regularly, your system looks like spaghetti, and you have the money, for goodness sake start over,” said Jun, technology VP at Cryptography Research Inc.
Legacy systems, particularly those supporting customer transactions such as credit card payments, are facing tough challenges from new end user devices, said Jun. Mobile platforms are a concern because their technology is increasingly generic, and mobile operating systems can be easier to compromise than other devices, he said.
However, there are incremental changes IT security professionals can make to legacy systems that will reduce vulnerabilities, and contain breaches if they do occur, said Jun, who has experience in pay TV and mobile phone security.
The first step in a security revamp is to see consider how the most serious security concerns can be tackled within the existing technology infrastructure, and it has to be remembered that changes made now may affect what changes can be made later, said Jun.
It is essential to refresh security documentation for the revamped system, paying particular attention to ambiguity and complexity otherwise important security decisions could be pushed too far downstream. Clear definitions of protocols, data structures, and state machines should be included, he said.
Certain database fields can be encrypted to limit the damage of data theft should it occur, he said. A transaction handler and an audit server are sensible additions, but effective audits of data need judgment or they can become too time-consuming. Overall, it is important to prioritise tasks. “Focus on what it what's hard to change later, maximise the return on the effort,” said Jun.