Imagine venturing on a long trip in your old car without giving it a prior brake or tire inspection. In this case, you’re running only on hope that you’ll reach your destination. This scenario is comparable to your organization operating with legacy software.
Hope is a good thing, but there’s little room for it when your legacy software and, by extension, your organization’s goals are in question. You need informed expectations instead, which is why you must understand the gravity of your legacy software risks. The scale and sophistication of modern threats has made this even more of a pressing issue.
This article will help you better understand the risks of legacy software, why security risks take priority over anything else, and why it is imperative to tackle them immediately and continuously.
In January 2023, the US GAO (Government Accountability Office) published a report on the state of information technology at the IRS (Internal Revenue Service).
The report revealed that legacy applications made up approximately 33% of the IRS’ IT environment. The IRS defined “legacy” as apps that are at least 25 years old or are written in an obsolete programming language. It’s worth noting that many of these applications were 35+ years old, some even as old as 64 years.
In addition, legacy software instances in use — defined by the IRS as software at least two versions behind the latest — comprised 23% of the agency’s most frequently used commercial software.
What prevented the IRS from getting rid of old software or taking steps to modernize? The fact that, as the agency itself stated, this software was critical to its daily work.
IRS is one of countless organizations using legacy software. Some sources claim that almost two-thirds of modern companies use end-of-support applications. In reality, this number may be even higher.
Whatever the exact numbers, legacy software is deeply entrenched in our IT infrastructures. Old code is inextricably linked with new code, so when we try to remove or change it, that creates a butterfly effect with a potentially devastating impact on operational continuity.
However, that doesn’t mean that we shouldn’t take steps to upgrade. Legacy software is known for being one of the weakest links in information environments, which necessitates intervention. So how can you reconcile these two sides?
The first step is to clearly understand the inherent risks entailed by using legacy software. The second is to take action in harmony with your objective means and specific conditions.
The dangers and setbacks associated with legacy software use can be divided into two broad categories: operational risks and security risks.
Even though operational risks outnumber security risks, the latter are much harder to address. Security risks encompass myriad threats which can lead to operational problems as well.
A global 2023 study shows that for organizations, increased security was the number one reason for modernizing legacy applications and data. It was cited as even more important than increased efficiency and cost reduction.
Real-World Examples of Legacy Software Security Risks
The Volt Typhoon and WannaCry security incidents are two infamous examples that illustrate the consequences of neglecting legacy software security risks.
Volt Typhoon is an APT (advanced persistent threat) group that targeted legacy software and devices to penetrate critical US infrastructure. The targets were unpatched for security issues and had weak, outdated configurations. A security analyst discovered the attack campaign in 2023, but there were indications that it started in 2021 or earlier.
WannaCry is ransomware with worm-like elements, presumably used by the notorious APT group Lazarus to target legacy software that relied on the Windows SMBv1 protocol. This protocol was developed in the 80s, and due to the much simpler network environment at the time, it didn’t include encryption or SMB signing and had weak authentication.
The WannaCry attack affected between 200,000 and 300,000 devices in 150 countries that used Windows Server 2003, Windows XP, and Windows 7. The attack caused financial damage amounting to approximately $4B.
The security threat landscape is perpetually changing at a rate that appears to be much faster than blue teamers can keep up with.
Although new security threats are emerging every day, they are mostly sophisticated variations of well-known threat categories.
We’ve already provided two examples of security incidents — APT and ransomware — involving vulnerabilities in legacy software.
But for a more complete picture of the pitfalls of neglected outdated software vulnerabilities, here are two more examples:
The well-known credit bureau was attacked by a state-sponsored hacker group in 2017. The hackers exploited a vulnerability in older Apache Struts versions, CVE-2017-5638, which allowed remote code execution.
It’s worth noting that Apache Struts is an open-source MVC framework, meaning this was a cyberattack carried out through a third-party dependency.
This incident is especially interesting because the problem was not a nonexistent patch. Instead, the data breach happened as a consequence of Equifax’s failure to update its old software on time, precisely because of the complexity of its legacy-filled IT infrastructure.
The breach exposed the sensitive data of 143 million people (addresses, social security numbers, credit card numbers, and more) and cost Equifax $1.4B.
This cyberattack took place in 2022 and resulted in an operational disruption, more precisely, a massive power outage.
The key role in the attack played an end-of-life software version running on a MicroSCADA control system that allowed default access to an API. The API should’ve been deactivated, but since it wasn’t, it allowed Sandworm, the notorious hacker group, to access a substation’s circuit breakers and cause a blackout.
Due to their grave consequences, legacy software risks require prompt action.
Sometimes, taking action means relegating an outdated piece of software to history. But due to its deep embeddedness in modern infrastructures, taking action, more often than not, means protecting and securing your legacy software and alleviating its common operational shortcomings.
That way, you:
A great place to start addressing most risks is to conduct a legacy software vulnerability audit.
Virsec is a security platform that specializes in legacy software. Its primary concern is outdated and unpatched server workloads and applications running on them. And that’s for a good reason: Over 80% of breaches occur precisely on servers.
Virsec extends its trademark zero-trust runtime defense to outdated Windows (2003, 2008, and 2012), Red Hat Enterprise Linux, Cent OS, Ubuntu, and Suse server operating systems, defending them as effectively as modern server workloads.
For instance, the platform provides NIST, CISA, and PCI compensating security controls pertaining to Windows Server 2012 workloads and application runtime environments.
If we had to single out a few essential Virsec features, they would be the following:
With its capabilities, Virsec allows you to use your legacy software in secure and protected ways, mitigating ransomware and other devastating security risks plaguing outdated software.
In this article, you learned the common risks associated with legacy software. Although operational risks outnumber security risks, we showed through real-world examples that the latter can have far-reaching consequences, making managing them a priority.
Legacy software security risks need your immediate attention, and you need a purpose-built solution to protect your outdated workloads and applications from the next WannaCry.
Virsec is precisely that — a purpose-built legacy software security solution. Having been around for a long time, Virsec has seen the changing threat landscape, and works with a thorough understanding of the subtleties of legacy software and the pains organizations have when using it.
See Virsec in action — book a free demo today.