You might already be saying that there’s no such thing in today’s modern information technology world as legacy systems. After all, how could the world that gave us Android, the iPhone, and other technological marvels coexist with systems that are decades old?
It’s a fact. They live in the networks of the Fortune 500, healthcare industry, government, and the financial sector. While researching this topic, I came across an article about legacy systems in government written by Joe McKendrick. In his article, he sites a survey conducted by Meritalk and Unisys that found that “agencies spend almost half of the annual federal IT budget, $35.7 billion, maintaining and supporting legacy applications”. He further points out that “nearly half (47%) of all existing IT applications are based on legacy technology in need of modernization”.
I recently exchange emails with Alert Logic’s Director of Security Research Johnathan Norman about the problem. It was my position that these many of these systems have a variety of security problems including the r-services that I talked about in a post on April 30th. In my experience the systems were purpose built and certified on a specific platform. It may take the vendor a long time (if ever) to support the application on a newer Operating System. Even if the technology becomes available, according to the Meritalk/Unisys survey, adoption can take up to 3 years.
Still skeptical? In my 6 years as a penetration tester, we regularly came across older Operating Systems. Back in 2000, one of our largest customers was running SunOS 4.1. An operating system that was introduced to the Market in 1991. Fast forward to January 2008 where as a corporate information security professional I ran into Windows 3.11! That’s a lot of potential for vulnerabilities. In fact, patches may not even be available in many cases.
What’s the point? We need to stop pretending like APT is the only thing we need to be afraid of… and give these ticking time bombs the attention they deserve. If you have a few minutes, you should read Lenny Zeltser’s post on APT. At the very least if you’re responsible for one of these systems – you should monitor them and the networks around them closely. Be prepared to flip the switch on your incident response process.