“Life cycle management is the easiest thing to design, but often times the hardest to implement and adhere to over time. Unfortunately today the impact on the company is no longer limited to performance.”
– Patrick Torney – eDot
The following article written by: John P. Mello Jr., Tech News World
“Patch your systems in a timely manner” is a mantra of security experts, but what happens when the patch well runs dry because a product’s maker no longer supports it? That is a situation many large enterprises find themselves in, and it’s one that poses security risks.
Between 30 percent and 50 percent of the hardware and software assets in the average large enterprise have reached their end-of-life date, according to a BDNA report released last month.
End-of-life products pose a serious security risk to the enterprise.
“The vast majority of vulnerabilities — more than 99 percent — exploit out-of-date software with known vulnerabilities,” said BDNA President Walker White.
Oversight is a common reason end-of-life products continue to run on an organization’s systems.
“There may be a new version of a product, but because you don’t have a clear view of what’s in your environment, you can miss the old version in your upgrade process,” White told TechNewsWorld.
That’s how orphan apps are created, too.
“These products may remain on a network and are not removed because no one is using them, and no one has turned off their lights,” White said. “A hacker will exploit that kind of leftover artifact.”
Overworked IT departments can contribute to the end-of-life security problem.
“IT spends 80 percent of its resources just to keep the lights on and 20 percent on new development — if they’re lucky,” White said.
Moreover, IT can be overwhelmed by EOL data.
“They have plenty of data, but the data is so vast and there’s such a high degree of variance in it, that they can’t distill it down to information that is actionable,” White explained.
There are industries where there’s little incentive to replace end-of-life products because change is slow, added Faizel Lahkani, CEO of SS8.
For example, what’s changed in power distribution in the last 25 years?
“The answer is very little,” Lahkani told TechNewsWorld.
“As a result, there’s no fundamental driver to change something that’s designed well and works well and is for a fixed purpose,” he said. “Then the problem is you have technologies that weren’t built for security — that have vulnerable attack surfaces that allow hackers to take down things like power grids and water distribution systems very easily.”
Staying pat with legacy systems is not a good idea, Lahkani warned.
“Even in the case where you have to keep a legacy system, keeping it and saying, ‘I’m good’ is not acceptable because, from a security perspective, those systems are vulnerable,” he said. “You may have to live with them because you don’t have the dollars to replace them, but you still have to secure those systems.”
Malware’s Changing Role
Malware has become a penetration tool for hackers, but once nested in a system, Black Hats prefer to use other means to conduct malicious activity.
Ninety-nine percent of post-intrusion activities do not employ malware, according to a recent LightCyber report.
Instead, intruders prefer to leverage standard networking, IT administration and other tools, the report notes.
“We suspected there wasn’t a large use of malware, but we were surprised by how extreme our findings were,” said David Thompson, a researcher at LightCyber.
“They were much higher than we expected,” he told TechNewsWorld.
Attackers have moved away from malware for a simple reason: detection.
“Attackers know security organizations are using multiple layers of defense on the perimeter and the endpoints so they’re not using malware that can be detected by those solutions,” Thompson explained.
When Black Hats do use malware, they tend to use it only once, LightCyber found.
More than 70 percent of the malware used for launching an intrusion was found at only one site, the study notes. That makes it very difficult for protection solutions based on signatures to identify such attacks.
However, “the signatures do catch up, which is why attackers stop using malware as soon as they can once they get into a system,” Thompson said. “If they continued to rely on it, they would be found in a matter of days or weeks.”