Legacy Applications - The Swiss Cheese of Security

Almost every organization has them...

There's that one app which someone in your organization can't live without. It's probably from back in the 1990's, and the developer no longer supports it, if they're even in business anymore. Sometimes the app was never replaced simply due to lack of funding; other times a replacement simply doesn't exist.

To make matters worse, this app probably requires additional unsupported software, such as Java 1.4.2 or even Microsoft Java Virtual Machine. Bonus points if the app also requires an unsupported operating system, such as Windows 2000.

As a security practitioner, what can you do to help secure these applications which introduce gaping holes into your organization's network?

Do some research, and identify multiple plans of attack to address the Swiss Cheese. Present these plans to management, and get their buy-in.  Remember, any attempts to secure these legacy applications will inconvenience their users, so management approval is a must.

1) Investigate alternatives - It's very possible that someone else has run into the same problem as you, and has created a solution. This won't be without a little bit of work, however. For example, if your custom app requires an Oracle database backend, consider migrating to Postgres, which is Free Open Source Software.

2) Air Gapping - If possible, disconnect your legacy application from the network completely, and require any data to be transferred to/from the application be done so through removable media.

3) Isolation - If your legacy application must have network access, place the system in an isolated VLAN. Principle of least privilege applies - only give the system access to the IP addresses and ports which it must absolutely have to function.

4) Implement Intrusion Prevention - Network Intrusion Prevention and Host Intrusion Prevention systems can be used to extend the life of unsupported applications. Often these systems will be able to catch attempts to exploit the application, such as buffer overflows or cross-site-scripting attacks.

5) Risk Based Decision - Finally, if the legacy application isn't being removed from your organization, a risk-based-decision memo should be signed by upper management. Ensure that management clearly understands the risks involved with continuing to use the unsupported software, including attack vectors, mitigations in place, and the likely results of a compromise. This way management agrees to assume the risk associated with continuing to use the application, and can't claim ignorance should the application ever be compromised in the future.

Do you have any additional suggestions for addressing legacy applications? If so, please share!

No comments:

Post a Comment