Security Risk: How Old Software Might Be Hurting Your Organization

Security risk is a major topic of conversation for ITAM Awareness Month. As news of malware and cyber attacks become ubiquitous, companies and Chief Security Officers are challenged to stay ahead of security threats and learn from others who have been impacted by attacks.

When we focus on improving security, there is often an emphasis on new technologies that tend to be the typical targets. As we saw with WannaCry new technologies aren’t always the only ones that are being exploited.

Security Risk Lessons from WannaCry

WannaCry/WannaCrypt was estimated to have infected over 300,000 PC’s worldwide and its impact was still being felt weeks after the ransomware became widely publicized. It’s been speculated that the vulnerability in unsupported and unpatched operating systems was discovered by the National Security Agency (NSA), and info about the technical vulnerabilities was made available when the NSA was hacked in the early part of 2017. 

Operating systems that had reached “end of life” or end of vendor support years ago were the targets. This effectively exposed the security risk to organizations that had not updated, upgraded, or migrated from legacy software to newer, vendor supported technologies. 

To remediate the proliferation and negative publicity, Microsoft released two emergency patches for organizations to protect devices that were running XP, windows 7, and Windows 8.1 operating systems.

ITAM’s Role in Reducing Security Risk

The problem, however, is that remediating the risks can sometimes be very challenging and expensive. Recognizing the risk that they are willingly incurring by not upgrading, some organizations will retain third party vendors who specialize in offering support for older technologies. The cost associated with maintaining ongoing support for legacy technologies needs to be recognized and factored into IT budgets. And yet, some organizations, looking for ways to save money, will not prioritize this security and support investment. In the case of WannaCry/WannaCrypt, Microsoft issued the patches for free for affected organizations to utilize.

In some cases, organizations will keep older hardware and software because they are required to by government regulations for their industry. Accessing and recovering data, using legacy technologies, within specified timeframes may be needed to meet data requests. However, these systems are not typically Internet accessible and may be on a segmented network to protect them and thereby reduce the security risk. As asset managers, we need to be aware of these risks and report on them to the over-burdened, and in some organizations, well-funded, security teams.

The security risk doesn’t apply just to legacy operating systems; it can extend to applications and browsers as well. There may be business-critical applications that will only run on old browsers, such as Internet Explorer 7, 8, or 9 that will also create risk. Network segmentation should be a first line of defense, but this may not always be possible due to the way the application is installed or being used.

See How ITAM Can Lower Your Enterprise Security Risk

As asset managers, we need to expand the detail and scope of reports to illustrate where legacy software creates security risks and what the potential costs are to remediate this risk. With its visibility into discovered data and contracts, IT asset management (ITAM) programs are positioned to understand which assets are no longer supported by vendors or covered under maintenance. This is lifecycle planning and is a foundational strength of effective ITAM, so take advantage of it. Working in conjunction with enterprise architects, strategic planners, and security teams, decisions can be made that will protect the business from one more potential risk. After all, protecting against security risks is everyone’s job.

Ivanti: Your Partner for Better ITAM and Security

Ivanti can help to improve both ITAM and cybersecurity at your organization. Check out our solutions, our ITAM and security blog posts, and our ITAM and software asset management (SAM) attainment model. Then, get in touch with Ivanti, and let’s discuss how we can help you and your business.