Summary
Legacy systems are systems that a vendor no longer supports, or systems that an organisation no longer maintains. This includes end-of-life or unsupported software, as well as devices.
When it comes to legacy systems, organisations have to choose between two options; to replace them or staying with the unsupported systems. There are challenges in finding the right option as both require time, money, and resources to address. Both options introduce similar risks:
- Risk 1: If the systems are replaced, there is a risk of affecting that critical process.
- Risk 2: If the system is not replaced, there is a risk that any known problems or security vulnerabilities in that system that could be exploited.
An organisation may choose the second option. This risk decision only considers the short-term impact. It often looks at the system in isolation, and does not consider the wider impact of having legacy systems running.
Over time, as more vulnerabilities are found, the impact and size of the risk increases. Keeping the legacy system does not mean doing nothing, the risk introduced by these systems still need to be managed using other controls. See Mitigating legacy systems.
As discussed in the patching control, the number of disclosed vulnerabilities is growing over time so keeping all your systems patched and in-support is critical. Legacy systems do not operate in isolation – attackers could compromise your legacy systems in order to access other modern systems in your environment.
Your organisation may be in a position where you need to accept risk 2 for a period of time because the time and resources needed to move from a legacy system is not possible. The tips below provide some advice on how to prepare your organisation to upgrade or replace those legacy systems.
Purpose
The intent of this control is for organisations to have no legacy systems. All systems in your organisation are supported by the vendor and maintained by the organisation. CERT NZ recognises that this is not always possible to achieve quickly. Temporary mitigations are suggested on Mitigating legacy systems.
Measuring success
Success with the legacy systems control is easy to measure - you use legacy systems or you don’t. While it is easy to measure it can be a difficult control to implement if your organisation has not actively maintained their systems, or if systems are no longer supported. The following goals will help your organisation take steps towards achieving this control:
- All of your systems are still within the vendor’s support lifecycle.
- Your organisation maintains all of your systems by regularly patching and backing them up.
- You have a complete view of the components in your environment and understand the lifetime for each component.
- You have plans in place to proactively replace or upgrade the systems before their end of life or end of support date.
- As an interim measure, follow our advice on Mitigating legacy systems.
Key legacy system takeaways
- There are multiple options on how to mitigate legacy systems in your environment. We do not recommend doing nothing and maintaining legacy systems. The risk associated with running unsupported components in your environment is too high and it gets harder to manage over time. At a minimum, your organisation should be hardening and restricting access to vulnerable and unsupported components until removing or replacing the legacy system is possible.
- Keep up-to-date on the lifecycle and lifetimes of the components in your environment. Vendors often give advance notice when their products are going to reach end-of-life. Use this notice period as a time to plan for the replacement or upgrade of those components to avoid legacy issues in the future.
- Legacy systems often require legacy network protocols or hardware, which means that a legacy system can place modern systems at risk. The longer a legacy system is in place, the more likely it becomes that the people who understand how it works are no longer available, and replacing or changing the system becomes more difficult and expensive.
Advice for implementation
Identifying and managing legacy systems