Imagine venturing on a long trip in your old car without giving it a prior brake or tire inspection. In this case, you’re running only on hope that you’ll reach your destination. This scenario is comparable to your organization operating with legacy software.
Hope is a good thing, but there’s little room for it when your legacy software and, by extension, your organization’s goals are in question. You need informed expectations instead, which is why you must understand the gravity of your legacy software risks. The scale and sophistication of modern threats has made this even more of a pressing issue.
This article will help you better understand the risks of legacy software, why security risks take priority over anything else, and why it is imperative to tackle them immediately and continuously.
Risks of Legacy Software
In January 2023, the US GAO (Government Accountability Office) published a report on the state of information technology at the IRS (Internal Revenue Service).
The report revealed that legacy applications made up approximately 33% of the IRS’ IT environment. The IRS defined “legacy” as apps that are at least 25 years old or are written in an obsolete programming language. It’s worth noting that many of these applications were 35+ years old, some even as old as 64 years.
In addition, legacy software instances in use — defined by the IRS as software at least two versions behind the latest — comprised 23% of the agency’s most frequently used commercial software.
What prevented the IRS from getting rid of old software or taking steps to modernize? The fact that, as the agency itself stated, this software was critical to its daily work.
IRS is one of countless organizations using legacy software. Some sources claim that almost two-thirds of modern companies use end-of-support applications. In reality, this number may be even higher.
Whatever the exact numbers, legacy software is deeply entrenched in our IT infrastructures. Old code is inextricably linked with new code, so when we try to remove or change it, that creates a butterfly effect with a potentially devastating impact on operational continuity.
However, that doesn’t mean that we shouldn’t take steps to upgrade. Legacy software is known for being one of the weakest links in information environments, which necessitates intervention. So how can you reconcile these two sides?
The first step is to clearly understand the inherent risks entailed by using legacy software. The second is to take action in harmony with your objective means and specific conditions.
Common Risks Associated with Legacy Software
The dangers and setbacks associated with legacy software use can be divided into two broad categories: operational risks and security risks.
1. Operational risks:
- Deteriorated performance: Old software wasn’t developed with modern workload requirements in mind, meaning it’s near impossible for it to handle today’s loads of data and users. In addition, due to software entropy, its performance naturally deteriorates over time, making it laggy, buggy, and prone to failures.
- Inadequate integration: Legacy software is often incompatible with new technologies and operates in a silo, unable to connect to other components in your information environment as well as modern external software.
- Competitive disadvantage: As a high percentage of legacy software prevents you from using modern technologies, businesses can lag behind competitors that employ new, innovative, and scalable technologies.
- High maintenance costs: Outdated software typically requires special licensing and specialized knowledge to continue to function.
Considering that both are expensive and the latter is also rare, it’s no wonder that in 2019, GAO found that the operation and maintenance of only 10 of the federal government legacy systems cost $337M yearly. - Skill shortage: As software ages, fewer experts know how to maintain it. The older the software, the more acute the shortage of skills necessary for its maintenance.
In addition, employee turnover can lead to the complete absence of professionals who know how to maintain the legacy software. This is especially true considering that IT skills of this type are often passed on through word-of-mouth, rather than formalized in process documents. The result is that key knowledge can disappear when certain experts leave the organization. - Poor user and customer experience: Outdated interface, subpar efficiency, low speed, and manual (instead of automated) work are all drawbacks tied to old software.
2. Security risks:
- Security vulnerabilities: On average, legacy software accumulates more than 400 vulnerabilities every year. Hence, the older the software, the higher the number of security threats you face.
This insecure state is due primarily to the legacy software’s unpatched status, its reliance on old protocols and poor access controls, and, generally, the inferior security measures from the time it was created. - Data risks: If it’s not siloed, data in legacy software is usually at risk because of old encryption methods, such as DES and 3DES in healthcare, and the lack of support for modern strong encryption algorithms, such as AES-256.
Outdated software makes it difficult to back up and recover data, which can lead to data loss. In addition, old software may not support modern monitoring methods, which affects the visibility of your data flows. - Insufficient security coverage: Even though most companies have an EDR in place, traditional EDRs provide increasingly less support for legacy software — or don’t provide it at all anymore.
- Compliance challenges: Compliance regulations often establish strict security requirements, primarily regarding data safety; however, these requirements are nearly impossible for legacy software to implement inherently.
New software that can help bridge security gaps may be a solution, but it can often be challenging to find and implement.
Even though operational risks outnumber security risks, the latter are much harder to address. Security risks encompass myriad threats which can lead to operational problems as well.
A global 2023 study shows that for organizations, increased security was the number one reason for modernizing legacy applications and data. It was cited as even more important than increased efficiency and cost reduction.
Real-World Examples of Legacy Software Security Risks
The Volt Typhoon and WannaCry security incidents are two infamous examples that illustrate the consequences of neglecting legacy software security risks.
Volt Typhoon is an APT (advanced persistent threat) group that targeted legacy software and devices to penetrate critical US infrastructure. The targets were unpatched for security issues and had weak, outdated configurations. A security analyst discovered the attack campaign in 2023, but there were indications that it started in 2021 or earlier.
WannaCry is ransomware with worm-like elements, presumably used by the notorious APT group Lazarus to target legacy software that relied on the Windows SMBv1 protocol. This protocol was developed in the 80s, and due to the much simpler network environment at the time, it didn’t include encryption or SMB signing and had weak authentication.
The WannaCry attack affected between 200,000 and 300,000 devices in 150 countries that used Windows Server 2003, Windows XP, and Windows 7. The attack caused financial damage amounting to approximately $4B.
The Evolving Landscape of Modern Threats
The security threat landscape is perpetually changing at a rate that appears to be much faster than blue teamers can keep up with.
Although new security threats are emerging every day, they are mostly sophisticated variations of well-known threat categories.
How Modern Threats Target Legacy Software
We’ve already provided two examples of security incidents — APT and ransomware — involving vulnerabilities in legacy software.
But for a more complete picture of the pitfalls of neglected outdated software vulnerabilities, here are two more examples:
The Equifax data breach
The well-known credit bureau was attacked by a state-sponsored hacker group in 2017. The hackers exploited a vulnerability in older Apache Struts versions, CVE-2017-5638, which allowed remote code execution.
It’s worth noting that Apache Struts is an open-source MVC framework, meaning this was a cyberattack carried out through a third-party dependency.
This incident is especially interesting because the problem was not a nonexistent patch. Instead, the data breach happened as a consequence of Equifax’s failure to update its old software on time, precisely because of the complexity of its legacy-filled IT infrastructure.
The breach exposed the sensitive data of 143 million people (addresses, social security numbers, credit card numbers, and more) and cost Equifax $1.4B.
The Sandworm attack on Ukraine’s power grid
This cyberattack took place in 2022 and resulted in an operational disruption, more precisely, a massive power outage.
The key role in the attack played an end-of-life software version running on a MicroSCADA control system that allowed default access to an API. The API should’ve been deactivated, but since it wasn’t, it allowed Sandworm, the notorious hacker group, to access a substation’s circuit breakers and cause a blackout.
Urgency in Addressing Risks of Legacy Software
Due to their grave consequences, legacy software risks require prompt action.
Sometimes, taking action means relegating an outdated piece of software to history. But due to its deep embeddedness in modern infrastructures, taking action, more often than not, means protecting and securing your legacy software and alleviating its common operational shortcomings.
That way, you:
- Manage immediate security risks
- Cope with compliance and regulatory pressures
- Avoid financial implications of inaction
- Ensure business continuity and resilience
A great place to start addressing most risks is to conduct a legacy software vulnerability audit.
Virsec’s Solution to Legacy Software Risks
Virsec is a security platform that specializes in legacy software. Its primary concern is outdated and unpatched server workloads and applications running on them. And that’s for a good reason: Over 80% of breaches occur precisely on servers.
Virsec extends its trademark zero-trust runtime defense to outdated Windows (2003, 2008, and 2012), Red Hat Enterprise Linux, Cent OS, Ubuntu, and Suse server operating systems, defending them as effectively as modern server workloads.
For instance, the platform provides NIST, CISA, and PCI compensating security controls pertaining to Windows Server 2012 workloads and application runtime environments.
If we had to single out a few essential Virsec features, they would be the following:
- Trusted execution environment
The “deny-all, allow-on-trust” Virsec’s model guarantees that trusted code is the only code executing in your legacy application runtime environment. This approach allows you to prevent unauthorized activities by default. - Real-time monitoring
Virsec constantly monitors your legacy workloads, looking for deviations from their baseline behavior. - Zero-dwell time
When the platform detects deviations from expected behavior, pointing to a possible cyberattack, it takes only milliseconds to stop the threat. - Autonomous application control
Virsec creates and enforces trust policies that enable your legacy applications to perform their intended function, uncorrupted by unauthorized intentional or inadvertent manipulation. - Visibility
The platform provides insights into the scripts, executables, and files running on your workloads. This capability enables you to know all running processes and programs, allowing only those that are trusted. “Know your software, trust your protection” — that’s Virsec’s motto.
It’s worth noting that EDRs and XDRs lack this capability. The consequence is a failure to provide adequate legacy software protection.
With its capabilities, Virsec allows you to use your legacy software in secure and protected ways, mitigating ransomware and other devastating security risks plaguing outdated software.
Conclusion
In this article, you learned the common risks associated with legacy software. Although operational risks outnumber security risks, we showed through real-world examples that the latter can have far-reaching consequences, making managing them a priority.
Legacy software security risks need your immediate attention, and you need a purpose-built solution to protect your outdated workloads and applications from the next WannaCry.
Virsec is precisely that — a purpose-built legacy software security solution. Having been around for a long time, Virsec has seen the changing threat landscape, and works with a thorough understanding of the subtleties of legacy software and the pains organizations have when using it.
See Virsec in action — book a free demo today.
