From Vintage to Vulnerable: The Risks of Outdated Tech
As technology evolves at a breakneck pace, it's easy to forget about those older systems quietly humming away in your business. However, these "legacy" systems – software or hardware that is no longer supported by the manufacturer – can pose a significant risk to your cybersecurity. Let's delve into why this is a ticking time bomb and how you can address it.
The Hidden Dangers of Unsupported Systems
Zero-Day Vulnerabilities: When a system reaches its end-of-life (EOL), the manufacturer stops issuing security updates and patches. This leaves any discovered vulnerabilities – also known as "zero-day" vulnerabilities because you have zero days to fix them before they're exploited – open to attackers.
Increased Attack Surface: Legacy systems often have outdated configurations, weak security protocols, and unpatched software, creating a larger attack surface for cybercriminals to exploit.
Data Breaches and Ransomware: The consequences of a successful attack on a legacy system can be devastating. This could include data breaches, where sensitive information is stolen or exposed, or ransomware attacks that lock down your systems until a ransom is paid.
Why Patching Matters: The ACSC Essential Eight
The Australian Cyber Security Centre (ACSC) recognizes the critical importance of patching in its Essential Eight security controls. Regular patching is the most effective way to mitigate vulnerabilities in all systems. Here's why it's essential:
Closing Security Gaps: Patches address vulnerabilities as they're discovered, plugging the holes before attackers can exploit them.
Minimizing Risk: Patching is a proactive approach to security, reducing the likelihood of successful attacks and the associated costs of recovery.
Regulatory Compliance: Many industries have regulations that require regular patching to maintain security standards.
Is Your System Still Supported? Here's How to Check
Check with the Manufacturer: The easiest way is to check the manufacturer's website for EOL announcements and support information.
Consult Your IT Team or Provider: They should be able to provide information on your system's status and recommend a course of action.
Utilize Software Inventory Tools: These tools can help businesses identify all software running in their environment, including versions and patch levels.
Examples of Unsupported Legacy Systems
Whilst there are countless systems that are no longer supported, here is a non-exhaustive list of widely-adopted systems that some organisations may still be using today.
Operating Systems:
Windows 7: Mainstream support ended in 2015, and extended support ended in January 2020.
Windows Server 2008 and 2008 R2: Extended support ended in January 2020.
Windows XP: Support ended in April 2014.
macOS 10.12 Sierra: Support ended in November 2019.
Software Applications:
Adobe Flash Player: Officially discontinued in December 2020.
Microsoft Office 2010: Extended support ended in October 2020.
Internet Explorer 11: Outdated and no longer receiving security updates.
Hardware:
Older network infrastructure devices (routers, switches): Many older models are no longer supported by manufacturers and may have vulnerabilities. If you bought your router separately, check the manufacturer’s (e.g. ASUS, D-Link) website. If your modem/router came with your plan from your internet service provider (ISP), chances are they have notified you and recommended a replacement with a current-supported model. Examples of popular legacy hardware are the Telstra Gateway Max (support ended April 2023) and the Optus Sagemcom F@ST 5355 which no longer receives updates.
What to Do with Legacy Systems
Upgrade: If possible, upgrade to newer, supported versions of software and hardware. This may involve some investment, but the security benefits are undeniable.
Isolate: If upgrading isn't feasible, isolate legacy systems from the rest of your network. This can help limit the potential damage if they're compromised.
Replace: In some cases, replacing outdated systems with newer technology may be the most cost-effective and secure solution.