Legacy System Security

Challenge:

  • Business is unable to keep pace with the ever changing versions of application and operating systems. This can result due to the financial, resource or technical implications.

Risks:

  • Manufacturers will no longer issue fixes and patches for vulnerabilities that could be exploited by viruses, spyware and other malicious code.

Response:

  • Develop new ways to protect legacy systems and applications from vulnerabilities without impacting current operations.

Approach

  • MUST Use Organization Project Management process

Planning

  • Re-validate
  • That the application/OS is required
  • That the application/OS cannot upgrade
  • Document the agreed to decommission date and what the plan is to replace the application. (This information will be forgotten otherwise.)
  • Identify current environment capabilities:
  • Understand what you have so you can determine what you need
  • Include an Incident Management Plan for each app as part of the deliverables – risk can be reduced, not eliminated

Design 

  • Work from Basics to More complex
  • Apply to high risk systems first and low risk systems last
  • Include DR/BCP

Testing 

  • Apply in Test and UAT environment first when possible
  • DR/BCP should be tested first as it is not always possible to test the changes and rebuilding from scratch is not usually an option

Execution 

  • Be adaptable and be prepared for a few bumps along the way
  • This will be a cyclical process.
  • All applications will not be able to be changed at once
  • There will be multiple hardening activities. They should be segregated in order to identify any issues that might happen and identify the cause. 

 

Warranty Disclaimer

Warranty Disclaimer: The FBI, InfraGard, and its affiliates provide information, including but not limited to software, documentation, training, and other guidance to be known as “materials”. The materials are provided as-is and we expressly disclaim any and all warranties, express or implied, including, and without limitation, the implied warranties of merchantability, fitness for a particular purpose, non-infringement, quiet enjoyment, and integration, and warranties arising out of course of dealing or usage of trade. You agree that, as between you and the FBI, InfraGard, and its affiliates, you are responsible for the outcome of the use of materials made available, including but not limited to adherence to licensing requirements, and taking legal and regulatory considerations into account. There is no guarantee of accuracy, completeness, timeliness, or correct sequencing of the information provided.