It's not a stretch to say that most organizations have at least some old hardware and software still in use. An old computer that's still chugging along, running an old operating system and perhaps an application that is hard to replace, doesn't necessarily raise a red flag with IT staff. Why spend money on new equipment or software if what's already in-house is adequate and functioning?
Walker White, president of BDNA, a company that tracks and analyzes end-of-life (EOL) data for hardware, software and medical devices, says that the main problem with out-of-date software and legacy hardware is that once they pass their EOL cycle, the vendor no longer maintains or supports the products, resulting in security vulnerabilities and risk to organizations. As BDNA's State of the Enterprise Report (Q2 2016) indicates, many organizations are unaware of the potential liabilities, which can cost millions of dollars in the case of a successful attack after a vulnerability is exploited.
Older PCs, laptops and notebooks
White maintains that although software represents a much greater risk than hardware, many hardware vulnerabilities are actually software based. The main problem with older computers is that a lot of that equipment doesn't have built-in security features, such as Unified Extensible Firmware Interface (UEFI) with Secure Boot, a self-healing basic input/output system (BIOS), preboot authentication, self-encrypting drives and the like. Although these features can't prevent breaches 100 percent of the time (and what can?), they greatly improve the security of business and personal computers overall.
Items to eliminate from your organization's computer inventory:
- Computers with conventional BIOS: Older PCs, as well as laptops and notebooks, with conventional BIOS cannot run Secure Boot, a feature of UEFI that was first added in Microsoft Windows 8 and now appears in newer editions, as well as Windows Server. Secure Boot helps to prevent malware from loading onto a computer during the boot process. For added protection, HP's SureStart technology, which was introduced in 2013, detects corrupt or compromised BIOS code before it even loads, and then automatically copies over it with a "good" digitally signed version if necessary.
- Computers without preboot authentication (PBA) or a Trusted Platform Module (TPM): As yet another level of protection, PBA prevents the operating system from loading until the user enters authentication information, such as a password. PBA kicks in after the BIOS loads but before the OS boots. This feature has been around for several years and has been replaced in some computers by Microsoft BitLocker using TPM.
- Old routers: Aimed mainly at small offices/home offices (SOHOs), old routers -- especially those manufactured in 2011 and earlier -- can have serious vulnerabilities.
- Drives that don't self-encrypt: Available since 2009, self-encrypting drives, or SEDs, are especially important for mobile computers. An SED requires a password in addition to the OS login password, and the technology automatically encrypts and decrypts data on the drive.
[ Also on CIO.com: 73% of companies using vulnerable end-of-life networking devices ]
Another consideration is the use of old hard drives in general. Deb Shinder, a technology and security consultant, trainer and writer, points out that even when old hard drives are not a direct security threat, they make you vulnerable to data loss because they are prone to failure.
Addressing software vulnerabilities
Where hardware fixes and upgrades typically require plunking down cash, fixing software vulnerabilities often involves inexpensive or even free updates. The following list covers types of software that must be kept current, patched or replaced as soon as possible:
- Unpatched or out-of-date operating systems: In April 2014, Microsoft ended support for Windows XP, which means neither automatic updates nor technical assistance is available. According to Microsoft, even if you run some type of antivirus software on Windows XP, it has "limited effectiveness on PCs that do not have the latest security updates." Shinder warns against running old server OSes, such as Windows Server 2003 and earlier, which provide "far fewer security features" than more modern OSes, and that old FTP servers sitting around on the network, typically infrequently used, present an attack surface that admins might overlook.
- Unpatched or out-of-date productivity software: Running unpatched versions of Microsoft Office, especially older versions like Office 2002, Office 2003 and Office 2007, is risky. A common vulnerability is the potential for remote code execution when a user opens or previews a maliciously prepared file or visits a website containing content that exploits the vulnerability. If successful, an attacker can gain access to the user's system, which is a substantial security risk if the user has administrative privileges.
- Legacy custom applications: According to Shinder, many organizations continue to run legacy software that was custom written for them, even when the vendor has gone out of business and can no longer provide updates or patches. "For those organizations, the idea of starting over with a new application or a custom development project may seem overwhelming. However, legacy software wasn't coded with today's more sophisticated attacks in mind," says Shinder, leaving it highly vulnerable if exposed to the internet or in an environment with inadequate security controls.
- Unpatched web browsers: Browser vulnerabilities are widespread; no browser is entirely free of security vulnerabilities. Common vulnerabilities include URL spoofing, cross-site scripting, injection attacks, exploitable viruses, buffer overflow, ActiveX exploits and many more. The bottom line: run the most current version of your preferred web browser and update it as soon as updates become available.
- Out-of-date plug-ins: An easy target for attackers are out-of-date browser plug-ins for software used on the web, and the plug-ins with the most vulnerabilities are related to Adobe PDF and Adobe Flash (also known as Shockwave Flash), as well as Java and Microsoft Silverlight. WordPress plug-ins have also fallen victim to a number of security vulnerabilities, so much so that WordPress offers a plug-in to check the vulnerability of other WordPress plug-ins.
Changing protocols
When the TCP/IP suite of protocols was first developed and the internet was in its infancy, security wasn't the highest priority. Things have changed, dramatically. Many communications protocols have been revised or replaced with security built in. One of the more recent changes is the switch from Secure Sockets Layer (SSL), which runs on top of TCP/IP, to its successor, Transport Layer Security (TLS).
Both protocols provide data encryption and authentication between applications and servers, such as a web browser and web server, and are designed to allow for secure communications over the internet. However, the "secure" in SSL is now an oxymoron due to well-documented vulnerabilities.
In fact, even TLS 1.0 and some implementations of TLS 1.1 are considered insecure, with experts recommending the use of TLS 1.2 and later. That means web servers should be running the latest version of TLS, especially those that host e-commerce platforms. PCI DSS 3.1, the latest standard for payment card security, removed SSL and those early versions of TLS from its list of approved encryption standards.
BDNA's White also warns against flaws in TCP. He cites a serious vulnerability in TCP running on Linux that uses side channels. An attacker can get ahead of packet sequencing by knowing the IP addresses of the sender and receiver, and then intercept packets and insert malicious content. This vulnerability has been around for several years but was only recently uncovered, resulting in patches for the next version of the Linux OS.
Mobile and internet of things devices
The explosion of mobile and IoT device use has made work and personal life easier in many ways, but has ushered in a bevy of security concerns at the same time. Here are a few of the more pressing concerns regarding mobile and IoT:
- Old mobile devices and OSes: Some devices with old OSes can't be updated, and security updates are supported for a limited time. For example, the iPhone 3 and earlier models (those sold before October 2011) can't run the latest version of iOS, which has lots of security features baked in. Android devices are more difficult to pin down because of multiple phone vendors with multiple products that run the OS. Keep in mind that Google provides security updates for Android for three years from release, and upgrades to a new version of Android for two years from release.
- Old IoT devices: According to Shinder, old IoT devices from "back before we called it IoT" that are network enabled, such as old IP cameras used for surveillance, don't get regular updates and often are using insecure protocols. With the state of IoT security lacking in general, having older devices in the mix only makes it worse.
Next steps
US-CERT recommends application whitelisting, keeping applications and OSes patched and up to date, and restricting administrative privileges to applications and OSes as a strategy for reducing risk.
Organizations should also automate as much as possible, which includes allowing for OS and application updates unless administrators have a specific reason not to. To keep SoHo routers current, update the firmware by using the push-button update mechanism, if available, or download an update from the manufacturer's support site and install it. Regarding mobile devices, keep them updated with the latest software and teach users to download apps only from trusted sources, such as the Apple Store or Google Play.
Staying on top of vulnerability information is critical to protecting IT environments. One good source is the US-CERT Alerts webpage, as well as The MITRE Corporation's Common Vulnerabilities and Exposures (CVE) list. For organizations that run Microsoft products, check the Microsoft TechNet security advisories and bulletins regularly or sign up to receive security notifications via RSS or email.
Another option is to subscribe to a third-party catalog of vendor and product details, such as BDNA's Technopedia. These type of services gather data, and then translate and normalize it to use standard language and terms, eliminating variant names for a single vendor, single product and/or version of a product.
This story, " 12 hardware and software vulnerabilities you should address now" was originally published by CIO.