If this sounds familiar, we have some ammunition for you. Just whisper ‘Equifax hack' and you may soon have your company's key decision makers' attention. Last month the credit monitoring company went public on a massive data breach that compromised 143 million US consumer accounts and 400,000 UK residents. Where did the breach originate? Through a webapplication vulnerability, which had a patch available.
Apache Struts, the web-application software vendor, disclosed that vulnerability in March; and a patch, advice and instructions offered to all users. René Gielen, vice president of Apache Struts said, “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
While this may have been an oversight or lax cyber-security procedures, this breach highlights a particular problem. Not only do legacy systems increase the risk of a cyber-attack because of bugs and vulnerabilities that go unpatched, but also hackers are increasingly looking to exploit these flaws.
How hackers exploit legacy systems
If a software company has disclosed a vulnerability and issued a patch, you can bet that there are hackers already targeting companies that use that software. They know that patching vulnerabilities can take time; many businesses and organisations have policies that mean patches need to be tested before they can be installed. Moreover, there will be some who don't get round to it for one reason or another, giving hackers plenty of opportunity to breach their systems.
Legacy systems can also have inherent security issues; such as default or hardcoded passwords. These predate our current cyber-threat landscape – in some cases even the Internet itself – and hark back to a time when personal data didn't have the currency it has today. These are typically privileged passwords, as they require high-level access, and often companies don't even know they exist. This means that they also don't know when they are used, until something goes wrong.
Hackers can find these passwords easily as they were often included in product documentation, and lists of these can be readily bought online. Even software that predates the cloud can be vulnerable if it is now connected to the Internet through your IT infrastructure and network. The ever-evolving threat landscape also means that cyber-security solutions can provide criminals with an opportunity. If the tools being deployed are not robust enough, there may be gaps in your security protection. New threats are constantly being developed to exploit these gaps, gaps that legacy cyber-security software was never designed to protect.
As the Equifax hack demonstrates, if using legacy systems, they must be part of proactive cyber-security and data protection procedures. This should involve a clear understanding of the risk of an attack and potential damage should one occur, the type of threats that the software is vulnerable to, and what solutions are being used to protect it. Threat monitoring tools should be part of this solution, alerting you to any attempts to hack your systems and identifying the biggest risks to your business.
Contributed by Ian McGregor, CRO at Invinsec
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.