Recent attacks such as WannaCry and NotPetya have demonstrated that hackers are more familiar with the vulnerabilities of unsupported systems than many organisations themselves.
When new patches are released, attackers easily reverse-engineer the updates and quickly find all the weaknesses in end-of-life (EOL) systems. Traditional security solutions are powerless in detecting and preventing these advanced attacks.
Systems often run critical business functions, have access to sensitive data, and have high performance and availability requirements, making it difficult to upgrade or replace when vendors discontinue security support. As a result, they are perfect targets for exploitation. Often they house lucrative data.
In addition to security threats, many of the regulatory and compliance mandates involve rigorous levels of security that EOL systems, just aren’t equipped to meet.
When systems go EOL, they can be easily infiltrated. This is often due to the lack of patch management at an organisation or an effective endpoint protection solution. Vulnerabilities exist on EOL systems that will never be fixed. This is a critical area of focus for compliance professionals, as there is substantial risk taken by the organisation in continuing to operate them.
There are compensating controls that businesses can implement to help reduce the liability associated with running EOL systems and keep them secure. Some of the key methods are application control/application whitelisting, network isolation or segmentation, and virtualisation.
1. Network Isolation/Segmentation: With network isolation, servers are isolated so they cannot access central services. Critical servers will interact with other systems on the isolated network, but cannot interact with any machines outside the network or connect to the Internet. With network isolation, EOL devices are protected from threats, but these systems are limited from accessing other critical assets. Since most servers host critical applications that must be accessible to employees and connected to other corporate servers, this is likely not a viable option for most server workloads.
2. Virtualisation: Virtualisation can be used to limit critical server exposure to and environment. If an asset becomes a target, it can be isolated and re-initialised. Hosting assets within a virtualised environment provides security benefits by increasing the control over critical assets as well as the ease at which systems can be re-imaged in the event of a compromise. However, for critical servers running applications that require round the clock access, virtualisation represents a possibility of increased administration and resources. It can also lead to failed compliance policies since in-scope data must be controlled and cannot run within a virtual environment.
3. Application Control and Whitelisting: This is a security model focused on allowing known ‘good’ applications rather than blocking known ‘bad,’ and is widely regarded as the industry’s best form for advanced threat prevention. It is ranked as the No. 1 mitigation technique against security threats by the ASD Essential 8. When implemented in default-deny mode, application whitelisting is a highly effective compensating control to meet regulatory compliance standards and harden out-of-date systems. By ensuring that only trusted software is allowed to run, application whitelisting stops exploits and can reduce the administration associated with system and application patching and updates.
Application control/whitelisting can be deployed as a security control in lieu of regular patching and updates that are no longer available from Microsoft. This will extend the security window and protect unsupported devices from breach and data compromise past the EOL date.
When reviewing the capabilities of a compensating control such as whitelisting consider it can provide the following:
- Complete visibility into everything that is happening on servers and endpoint so compliance and risk can be measuredAutomated, real-time detection of zero-day and other advanced threats
- A change history and full audit trail of all server and endpoint activity along with real-time compliance risk measurement and reporting of systems, including those which are no longer supported. This reporting provides the actionable intelligence to monitor compliance, identify any unexpected activity or event, and proactively improve security posture
- Prevention to stop advanced threats and other forms of malware from executing, including targeted, customised attacks unique to an organisation
- Integration across the existing security infrastructure to understand enterprise-wide compliance risk and exposure
- Built-in file-integrity monitoring, device control, and memory protection to block unauthorised change
- Harden new and legacy systems, with broad support for embedded virtual and physical operating systems.
- Out-of-the-box templates based on industry best practices keep management overhead low
- In-built workflow and automation mechanisms
- Cloud-based reputation and detonation helps make fast decisions about which software to trust
- Automatically trust software deployed by IT to keep administration easy and achieve fast time-to-value
Organisations that implement the compensating controls outlined in this article will dramatically reduce the liability associated with running EOL systems by keeping them more secure.