Checklist for supporting legacy systems and applications
The chances are, if your organisation has been in existence for a few years, you will have some legacy systems or applications running somewhere on your network. Although best practice says that you should look to upgrade, migrate or replace older systems, the reality is that many organisations will continue to run them even though they know that they pose a security risk.
If you are running unsupported systems or applications within your organisation then ideally you should be planning to replace them. If that isn’t possible or feasible to do then at the very least you should be looking at minimising the security risk that legacy systems pose to other systems which you run on your network. Although we are providing a suggested list of actions we recommend you should take, it isn’t meant to be exhaustive or in any way intended to encourage the continued use of unsupported systems. Unsupported systems will always pose more of a risk than those which are supported, so our checklist is all about mitigation.
1. Isolate the risk
Where possible unsupported legacy systems should be run in isolation with the minimum amount of connectivity to the Internet or other supported applications.
You should consider running the unsupported system on a different part of your network and ensure that access is tightly controlled by a firewall. This will help to prevent the amount of collateral damage which the unsupported system can cause should it be compromised.
2. Watch out for security updates
Even though an operating system may no longer be officially supported, vendors do still occasionally offer ‘one off’ security updates if a very dangerous exploit is uncovered.
In 2017 following the WannaCry ransomware attack Microsoft did release an out of band security update for end of life products, so it is worth keeping an eye out for similar patches from other vendors.
3. Consider using a content delivery network (CDN)
If your unsupported system is Internet facing then it is at much greater risk. It is not unusual to find older systems still running the insecure HTTP protocol, rather than HTTPS. It is not always straightforward to implement HTTPS onto an older application, but you can put a Content Delivery Network (CDN) in front of it which will provide some additional protection, particularly for your application data.
We would suggest using Cloudflare as an affordable option to add additional security to your online applications generally. Implementing a Content Delivery Network does not require any changes to be made to the application it is protecting which can be another advantage.
4. Take regular backups
This one is so obvious that you are no doubt thinking of skipping on to the next item – however we cannot stress enough the importance of taking regular backups, particularly when you are running unsupported systems or applications.
In addition to taking daily full and incremental backups we would also recommend taking a weekly snapshot of the complete server. This will reduce the time needed to recover from a server failure or security incident.
5. Consider using an Application Firewall
An Application Firewall provides another level of protection for Internet facing unsupported systems and applications. It can offer a greater level of protection against specific threats by allowing administrators to define and set up custom rules which can mitigate against specific known vulnerabilities. For example, if an application has a known vulnerability which can be targeted by sending a specifically crafted URL to it, then the application firewall can have a rule designed to identify these requests and block them before they reach your application.
6. Monitor use and activity
Unsupported systems and applications need to be more closely monitored than fully supported ones. Simply monitoring the activity levels of the host server can provide an immediate indication that all may not be well and the unsupported system could be under attack.
There are several cloud based monitoring systems available such as Pingdom.
For more in depth monitoring of the underlying operating system and disk space usage then consider running a separate monitoring application within your environment. We would suggest taking a look at IPSentry as a potential candidate.
7. Consider building a new front end interface
It may be feasible to replace the existing unsupported application interface with a new one, built using supported technologies. This could potentially offer the most secure method of continuing to run your unsupported system behind the scenes, but with all access being made via the newly built supported interface.
Running unsupported systems and applications should always be considered to be high risk and only be done as a last resort. Ideally you will replace systems and applications before they become unsupported, but we live in the real world. There is no guaranteed way of continuing to run unsupported systems and applications securely, however implementing some of our suggestions will certainly help to mitigate against some vulnerabilities.
If you have a Cyber Insurance policy in place you will probably find that it will not cover you for unsupported systems and applications being compromised and you may be at risk of invalidating the policy by continuing to run them.
At Oxford Web Applications we are able to help our clients migrate away from unsupported systems and applications so please do get in touch if you would like our help.