It has been revealed that the Metropolitan Police is still running 27,000 PCs on Windows XP, an obsolete legacy operating system that Microsoft stopping officially supporting with new security updates in 2014. Yet it’s not just PCs that IT service and support staff must worry about. From IP security cameras and door readers, through to mobiles, tablets and wearable technologies, there is a proliferation of devices capable of introducing new threats to the corporate network, writes Roberto Casetta, pictured, of HEAT Software, a cloud service and IT firm.
Like it or not it’s impossible to lock down access to company systems like it used to be. Increased mobility, ‘Bring Your Own Device’ and the rapid adoption of cloud-based technologies has ironically diminished IT professionals’ direct control over the tools and technologies used within the enterprise at the point when the dangers have reached new levels. Therefore pure prevention strategies such as blacklisting and antivirus alone are ill-equipped to deliver anything like the levels of protection they once did.
For organisations capable of obtaining a real-time understanding of all devices and applications connecting to or running on the corporate network it is relatively straightforward to eliminate the vast majority of such threats. For example, simple precautions such as ensuring the latest security updates are regularly and consistently applied across the enterprise can eliminate 99% of an organisation’s exposure to these risks. However, this is where we run in to big problems with the continued use of legacy systems and processes that are well past their use-by date.
It’s not the fault of the legacy systems themselves, many of which will have served the organisation well in previous years. However, as technology and malware evolves it is only to be expected that some will begin to experience problems in response to things that they were never designed to encounter in the first place. A tell-tale sign that it’s time to re-evaluate is when the on-going cost of service contracts begins to rapidly escalate or extensive and costly customisation is required to keep things running as they should. Another is when employees are forced to resort to manual workarounds simply to perform basic security functions and to fulfil the requirements of their role.
The Metropolitan Police is not alone in persevering with an end-of-life unsecured operating system. In fact, the latest data from NetMarketShare suggests that 10.34% of users are still leaving themselves vulnerable to security threats by continuing to use Windows XP. Move away from Microsoft, which has a relatively straightforward update mechanism, to consider all of the other hardware and software providers and it quickly becomes apparent that manual ‘fixes’ are never going to work for long.
Just one unsecured application can provide attackers with the initial entry-point they require to get inside the network. This is a scary thought when just last year more than 7,000 new software vulnerabilities were published, alongside 16 million different malware signatures that had been identified to exploit them. However, exposure to such risks can be all but averted simply by having the capability to apply the latest software patches and eliminate the running of unsupported or unpatched software applications inside the corporate network. It is in this context that continuing to invest in any legacy security tool that prevents this from happening must be viewed as a false economy.
Inevitably, many organisations fail to invest in upgraded security until they have themselves suffered the pain of a data breach. However, security professionals need to ask themselves a simple question: Would we rather leave behind a legacy of improved security, or be remembered as the individuals whose perseverance with legacy systems left the organisation behind?
