Among security experts, there is one commonly held mantra: “Patch your systems in a timely manner.”
Unfortunately, this security tip isn’t always possible, especially when a product’s maker no longer supports products that have been on the market for some time. This is a problem that many enterprises run into, and it poses some substantial security risks.
According to a report published by BDNA, anywhere between 30 and 50 percent of the hardware and software assets used by large enterprises have already reached their end-of-life date. Products that are past their prime pose major security risks to enterprises, as they tend to have vulnerabilities that have been discovered by malicious hackers that remain unfixed by product manufacturers.
“The vast majority of vulnerabilities- more than 99 percent- exploit out-of-date software with known vulnerabilities,” explained Walker White, president of BDNA.
White went on to explain the way simple oversights can allow for end-of-life products to keep running on an organization’s systems, even when nobody’s still using them:
“There may be a new version of the product, but because you don’t have a clear view of what’s in your environment, you can miss the old version in your upgrade process,” he continued. “These products may remain on a network and are not removed because no one is using them, and no one has turned off their lights.”
“A hacker will exploit that kind of leftover artifact,” he concluded.
Another way that end-of-life products can make your enterprise vulnerable? IT departments that are overworked or strapped for time can totally miss the ball, as removing software is never prioritized as highly as installing upgrades and other major IT tasks.
“IT spends 80 percent of its resources just to keep the lights on and 20 percent on new development- if they’re lucky,” White explained. “They have plenty of data, but the data is so vast and there’s such a high degree of variance in it, that they can’t distill it down to information that is actionable.”
Because change is so slow in these industries, there tends to be little to know incentive to replace end-of-life products. When CEO of SS8 Faizel Lahkani was asked what’s changed in power distribution over the past 25 years, he responded, “The answer is very little.”
“As a result, there’s no fundamental driver to change something that’s designed well and works well and is for a fixed purpose,” he continued. “Then the problem is you have technologies that weren’t built for security- that have vulnerable attack surfaces that allow hackers to take down things like power grids and water distribution systems very easily.”
To remain using legacy systems may be necessary for some organizations, but there’s still no excuse for accepting the vulnerability that comes with them, he added.
“Even in the case where you have to keep a legacy system, keeping it and saying, ‘I’m good’ is not acceptable because, from a security perspective, those systems are vulnerable. You may have to live with them because you don’t have the dollars to replace them, but you still have to secure those systems.”