If there is a bad security practice that I fully understand, it is the desire to continue running legacy systems and/or programs. Some industries require special infrastructure to support their operations. If this technology works, why replace it? The issue arises when the pace of technology accelerates past the old systems and software. Five to ten years later, the infrastructure is no longer supported. When technology loses support from its vendor, it no longer receives security patches, meaning it is completely frozen in time and is now completely exposed to any vulnerabilities in the future.

Businesses of all sizes have experienced cyberattacks because of their legacy systems being exploited. Causes range from Internet-exposed SCADA/ICS systems being compromised to networks running Windows Server 2008/Windows 7 spreading ransomware through their outdated services. Still, many organizations opt to continue using these systems due to gaps in budgeting and/or familiarity with newer systems. 

The continued use of any legacy infrastructure is an inherent vulnerability with a high degree of risk. The most effective risk mitigation is to migrate to a new supported platform. However, this framework understands that many organizations lack the resources to do this. In that case, you must ensure that compensating controls are applied to the legacy systems. These controls may include segmentation, air-gapping, virtualization, and the introduction of more thorough intrusion detection/prevention capabilities. 

These controls will be covered in future documentation. For the time being, ensure that all legacy systems currently operating in your business are thoroughly documented. You should already have a hardware asset inventory created. For the current task, you can note the specific assets that are legacy systems, and then create a second inventory that drills deeper into their status. Take note of the following:

  • Employees who currently have any level of access to the legacy system
  • Other systems and services that are involved in data flows with the legacy system. 
  • Any supplementary controls currently in place. 
  • The reasons for retaining the legacy system in your environment.