Hardening Legacy Software: Three Steps to Improving Cybersecurity
October 19, 2023
4 min read
October 19, 2023
4 min read
If you’ve ever been responsible for keeping a business’s computer systems secure, the links between Cybersecurity Awareness Month and Halloween should be immediately evident. Hardening legacy software is one of the most overlooked ways to avoid beeping error codes, cries of anguish, and other horrifying sounds that echo throughout a business when an avoidable cybersecurity incident occurs.
Let’s face it. A mature software implementation can be a total wildcard in an otherwise secure infrastructure. In most cases, a legacy product exceeds the usual lifecycle because a large portion of the business understands, succeeds with, and perhaps even likes using it, which naturally also means the tool must evolve to continue performing. As companies connect their trusted legacy infrastructure with newer apps and services, unseen gaps contribute to problems that might go unnoticed for years before they’re discovered – hopefully by the company using the software, not cyberattackers.
If you’ve got hardening legacy software on your mind this Cybersecurity Awareness Month, you’ll be pleased to hear the blind spots can be conquered and the potential for cybercrime can be minimized. Here are three tips to help start your effort in the right direction.
Legacy software that is otherwise great at what it does can create multiple risks where it connects with more modern systems. Fortunately, that risk can be mitigated.
As you plan, remember that striking a balance between convenience, functionality, and security is essential.
For legacy cybersecurity measures, that means restricting unneeded or unnecessarily risky access as a top-of-the-list objective, whatever shape it takes. Limiting all but encrypted traffic and allowing remote users to only connect via VPN, making sure traffic stored/transmitted by legacy apps is held to modern encryption and scanning standards, and reviewing legacy software credential-storing standards would be three examples.
This one’s closely tied to Tip 1, but the notion goes deeper than just digital/generational friction points. It can be surprisingly difficult to get a full grasp on what a given piece of legacy infrastructure does, which teams it supports, how those teams use it, and the oddball legacy cybersecurity issues that can arise from the combination of all three. If you’re planning on hardening legacy software in your company’s stack, though, achieving that level of knowledge and insight is essential.
Let’s say a retail manager is required to log into an essentially deprecated but still active system to provide data regarding an uncommon fraud claim. Most of the company’s systems are under a single sign on (SSO) service, but this particular legacy SKU lacks the connectivity to be a part of it. When the manager logs in using the same password – using the same word or phrase across multiple systems being a common bad security practice – the legacy system that stores the data uses a hashing procedure that has been compromised in some way.
Months later, an attacker discovers the treasure trove of compromised hashes. They begin testing username and password combinations uncovered in the deprecated system on the SSO-connected side, until voilà – the manager’s (relatively) freshly entered combination works.
Situations like these can spring up in a million different ways. It’s one of many reasons phrases like “no system is perfectly secure” are common in the industry. The good news is you can limit their incidence by taking time to understand how your legacy cybersecurity needs to interlink with the broader security practices your company has in place. An independent third-party software maintenance (TPSM) provider, some of whom offer highly specialized legacy software and mainframe skills and tailored, multilayered security services, can be a valuable partner if you need to build a deeper level of understanding on an accelerated timeline.
In most enterprise IT estates, “legacy software” is another term for “software no longer supported by the OEM.” And if you’re used to the standard break/patch/fix manner of resolving security issues, the notion of your software being unsupported when something serious goes wrong might be concerning.
In a lot of cases, security issues that arise in older software can be resolved well before a patch or OEM attention are necessary.
A vulnerability compromising a huge number of enterprise IT systems known as Log4Shell or LogJam is a prominent example of the disasters that companies can avoid when they take an active approach to hardening legacy software. Because the vulnerability came from an open-source library used in several types of different business software, OEMs pointed to the library’s creator, Apache, when the crisis first started. And even those OEMs that did take immediate responsibility needed time to patch individual affected versions, a process that took weeks or months.
By comparison, companies with a hardened approach and an appropriate level of third-party support were able to counteract the same problem in a matter of hours or days. Small configuration changes that had no impact on functionality or performance were all it took to secure the legacy software for hundreds of cases thanks to smart reduction of the attack surface area.
In so many words, don’t think that the OEMs suggested way to deal with problems (normally a patch) is the only one. It is worth keeping in mind that there are viable alternatives to updating versions or renewing OEM support – which you may feel pressured to do.
We’ve all seen, read about, or even experienced the bone-chilling outcomes that occur when companies fail to fully account for all the legacy software in the estate. Now for a fact you don’t hear as often. A large chunk of the problems that companies encounter come as the result of misconfiguration (such as storage buckets of APIs left open), human error (like having the same password in too many places), or other hard-to-spot missteps. TPSM provider can and do provide a high-quality insurance plan against incumbent security issues that arise once the software has gone to EOS status.
By hardening legacy software, you’re essentially trying to look at your infrastructure like an attacker, to beat them to the punch before they find points of friction that might have been overlooked. A TPSM provider’s combination of objective-focused outlook and proactive defense could be all it takes to make sure you win that race.
Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.
LEARN MORE