Mitigating legacy systems

Here are some tips on managing the risk of running these unsupported and vulnerable systems in the short term until replacement and removal is possible.

If you have identified legacy systems in your environment, your goal should be to remove or replace them until the system is fully under support and maintained. Until then, there are some steps you must take to mitigate the risk associated with these vulnerable components.

There are multiple steps that you can take to be proactive about preventing and detecting issues with your legacy software. Below are some common steps that may work for your environment.

Mitigation option 1: Remove or replace the system

Virtually by definition, legacy systems are vulnerable, and present a risk to your organisation. The safest option is to stop using them and remove them from your network. This could be an expensive and/or time consuming option, but it will limit the number of vulnerabilities that could be used to compromise your organisation.. Even while you are replacing or removing a legacy system, it will likely need to be kept online while an upgrade or replacement project is underway. During this time, access to the legacy system should be restricted to manage the risk in the interim (Mitigation option 2 below).

Mitigation option 2: Restrict access to the system

Move the system off the network to a standalone device. In some cases, a system only needs to be used by a person with physical access, and can be kept “all in one” on a desktop or similar hardware. In this case, it could be removed from the network. This will drastically reduce the likelihood of breach, as long as your physical controls are appropriate.

If the system must remain on the network, follow the principle of least privilege. Limit the devices which can connect to and from the system, as well as the permissions which are required for the device to operate to the absolute minimum possible. This will reduce the threat posed to the environment by the system if it is breached.

Put the system behind a proxy. Sometimes called “virtual patching”, this mitigation technique uses a set of pre-defined rules and policies to inspect data before passing it to the underlying system. For example, these rules and policies might define using only modern cryptography which the back-end system does not support, or limiting access to certain resources.

Note: specific policies often need to be created for each legacy system – at a cost to the organisation. These policies can only mitigate previously identified vulnerabilities. This can lead to a false sense of security for the legacy system.

See also:

Identifying and managing legacy systems