According to Cisco’s 2016 Security Report, aging infrastructure is an increasing issue, leaving organizations vulnerable to malicious attacks, breaches or exposure. Of the 115,000 Cisco devices analyzed in the study, 92% had software with known weaknesses to security incidents.

Bluelock’s Director of Engineering, Derek Brost, worked previously as the Chief Security Officer of a network medical device security company, where he saw first-hand the state of aged network infrastructure with excessive vulnerabilities. Given this experience, we asked him about the implications of legacy infrastructure, and what companies could be doing to remediate liabilities. Read the full interview below:

1. How prevalent is aging infrastructure that leaves companies open to compromise?

“Aging network infrastructure represents a unique opportunity for compromise and subsequent losses, especially when the equipment is no longer in support or development. Infrastructure must routinely be updated with new software releases to ensure known vulnerabilities are eliminated and security defects remediated. When a device and its software are no longer in support, vulnerabilities become exceedingly difficult, costly to mitigate and nearly impossible to remediate. Unfortunately, many organizations receive a wake-up call during large vulnerability outbreaks (e.g. Heartbleed.) Reviewing, and in some cases discovering, all network-connected systems running the vulnerable software tends to open a lot of eyes to devices which have been neglected.”

2. What are some examples of this kind of vulnerable infrastructure?

“Typically, the infrastructure that goes unpatched or isn’t replaced in a timely matter are long-forgotten devices that are buried deep in the network doing their duty without much change or fanfare. In some cases, the IT team and upper management have actively rationalized the decision to keep the device simply to avoid the associated replacement costs. The most egregious example I’ve witnessed in my security consulting was a client’s Nortel VPN device in active use years after the manufacturer’s bankruptcy and liquidation. This device sat on the network edge, public-facing and was tasked specifically to handle security functions, yet had absolutely no ability to be updated to solve a myriad of known vulnerabilities.”

3. What should be done about this problem?

“First and foremost – know thyself and conduct discovery. Understand not only the endpoints, but the infrastructure components interconnecting those endpoints. Know the make, model, serial number, manufacturer, vendor, OEM or third-party support contract status, system function, configuration, etc. of each asset.

“Place all assets in a concrete lifecycle term. It’s not sufficient to say you’ll revisit them in the next budget cycle, but that you be exacting in their placement – i.e. specify if they’re in year five of six. Usually these are capital assets that probably have accompanying depreciation schedules which may help. Determine if an asset is serving a valuable role in the infrastructure. If so, acknowledge the resources required to support and upkeep the system for its remaining lifecycle duration. Renew an OEM or third-party support contract at minimum and if you don’t have in-house expertise to maintain it, then contract for it immediately. However, if it’s not serving a valuable role, then intentionally accelerate its lifecycle to the end.

“Plan internally and with assistance to get each asset on a supported release. If one is unable to be brought up to a supported release, then consider it’s served its useful lifecycle and is ready to end. Place the asset in a release schedule, largely dictated by both what’s achievable on a periodic basis (i.e. every six months) and what is unfortunately dictated by the published vulnerabilities and critical update release schedules. Recognize this downtime or change may be more frequent than the service users may be expecting and that relationship or operating level agreement will take some discussion and expectation setting.

“Review everything designated near lifecycle end as part of the budgeting process. Ensure that review process has fully factored the costs of risk and breach into the total cost of ownership. It’s not worth saving a few thousand in capital expenses if there’s a high risk of exploit in an infrastructure area containing millions in intellectual property or in exposed fines for regulated data. Retire and replace as appropriate now that everything is understood, planned, and contained with due care.” 

4. What obstacles are in the way for companies to update or replace such infrastructure?

 “Usually, the main roadblocks tend to be the following:

  • Knowledge to understand the aging component, its roles, its configuration, and its methods for retirement. This expertise may no longer or may have not ever been in-house, unfortunately. 
  • Risk of change; habit may force teams into the adage of ‘if it’s not broke, don’t fix it’ and then to determine a small security patch isn’t worth the risk of change or downtime. This should be conducted in a risk management framework that balances introducing change vs. risk due to inaction.
  • Software access by way of active OEM support contracts; sometimes third-party contracts may omit access to software updates and only cover parts and labor. 
  • Budgets may rarely include cumulative infrastructure replacement expenses; it’s the easy option to ‘kick the can down the road’ and let another budget cycle deal with the problem.
  • Financial accounting may have an unaligned depreciation schedule to a system lifecycle or may be unwilling or unable to write-off an asset now out of its useful term.

To ensure proper security for your IT infrastructure, no matter its age, it may be helpful to engage a third-party expert for their advice. Bluelock clients are able to rely on Bluelock, a long-time DRaaS and managed cloud hosting provider, to keep their private, public and hybrid infrastructure secured and up-to-date.

Looking to secure your IT-DR operations from aging infrastructure? Check out Bluelock’s recent eBook, “4 Drivers to Transform IT Availability.”

Blog Post

4 Drivers to Transform Your IT Availability

A critical element to supporting IT availability is an effective IT disaster recovery (DR or IT-DR) strategy, but how do you select the best solutions to meet your company’s objectives?

View Blog Post
Blog Post

Are You Fully Prepared for Cybersecurity Threats?

Due to increased attention on cybersecurity events in the news recently, Bluelock commissioned IDG Research for a survey of executive leadership and IT managers across six major industries. In this survey, 64% of respondents cited lost customer confidence as their primary concern.

View Blog Post
Blog Post

State of IT Security: Survey Results Explained

64% of respondents cited “loss of customer confidence” as their biggest concern in the event of a security breach. Yet, the responses related to IT security practices suggest an inadequate focus on solving reputational risks.

View Blog Post