Tag Archives: Computer security

Legacy Systems: The (Often) Necessary Evil

15 Jun

GR GiveCamp 2014Many IT environments include one or more systems that are really far behind the times. You might be surprised it hasn’t died of natural causes yet. You know the one I’m talking about – tucked deep away in the back of a closet; both the file system and the original installer are now gathering cobwebs. Generally, we at OST see the most legacy systems in healthcare networks – but they can be anywhere.

From a security standpoint, these kinds of hosts are a nightmare. Often running an unsupported operating system (already a big red mark), these machines are generally not well patched and may be running easily exploitable applications. A thorn in the network administrator’s side, they consistently show up in the results of IT security assessments as high risk and requiring attention.

If you don’t work in IT, you might be wondering why anyone would allow such an obvious security hole to exist in an environment. The answer is quite simple. Most administrators and IT managers are aware of these systems, but their hands are tied – usually for one of two reasons:

  1. It’s a vendor-managed host (for example, a system that operates radiology equipment) and the vendor refuses to upgrade or patch, for a variety of reasons.
  2. It’s an internally managed host, but runs a mission-critical application or service that requires an unsupported OS.

You can see how environments that rely heavily on third party equipment and applications could easily find themselves unable to secure the hardware that sits on their network.

This can lead to serious problems if the organization ever finds itself on the receiving end of a malicious hacking attack. Due to security flaws noted above, legacy systems are often easily taken advantage of and leveraged during an attack. Depending on how the system is positioned in the environment and what kind of data it contains, this can lead to the loss of sensitive data (such as social security numbers, medical records, or other personally identifiable information) or perhaps a full breach of the organization’s domain.

To help illustrate, consider this analogy: if you lived in a bad neighborhood, you’d most certainly want all of your doors locked as often as possible. Well, for starters – the Internet is most definitely a bad neighborhood, and having insecure legacy systems in your environment would be akin to leaving a side window not only unlocked, but also open. Did we mention that your in-laws own the window, and have lodged it open so that it will not shut? Yeah, it’s a lot like that!

How should this predicament be approached? Here are our suggestions on how to mitigate the risk of having insecure legacy systems in a computing environment.

  1. Re-assess if you actually need the system. Is it truly critical to your operations? Sometimes the simplest solution to a security problem is to just power off and retire the offending host. If one person uses it once per quarter to run a single report, it’s probably not mission critical and the risk it poses is greater than the service it offers. If you re-assess and do find that you need it, keep reading.
  2. If it’s a vendor-managed host, reach out to the vendor directly and ask for a resolution. If you’re trying to meet compliance standards (i.e. GLBA, HIPAA), be sure to get an official response from the vendor for your records.
  3. If it’s a dated application and your organization simply hasn’t ponied up the dough to purchase the new, secure version, build that into the budget now. If this is the situation you find yourself in, you’re gravely underestimating the cost of a data breach. Go ahead, Google the average cost of a data breach. We dare you.
  4. If you find yourself in the worst-case scenario, where the vendor will not budge, the application has no patched version and the system genuinely is mission critical, all is not lost. Here’s our recommended plan of attack:

Isolate, isolate, isolate.

Going back to the open window in your house analogy, the next logical step (if you can’t shut it), is to lock the room that the window is in and take all the important stuff out of there. Make that system invisible to everyone on the network except those who need it. Put it on it’s own VLAN and permit access with great discretion. Harden the system with firewalling and an endpoint protection that has IPS/IDS modules. Remove ALL unnecessary applications and services from the host. Patch it as much as you can. We’ve advised clients to, when it made sense, literally unplug the computer from the network and require that be accessed only physically.

Build a Plan for Moving Forward

Get it into your FY plan to retire that system, if you can. If you can’t, make sure that the Board of Directors for your organization is aware of the risk and chooses to accept that risk.

A comprehensive IT security assessment is the best way to find insecure legacy systems. As part of an assessment, a penetration test is generally conducted to help identify the severity of security holes that may exist on these machines.

The OST Security Practice has conducted over 1,000 security assessments for clients in a wide variety of industries and is exceedingly proficient at identify vulnerabilities on legacy systems and helping organizations mitigate the risks they pose.

For more information on an IT security assessment services, please contact dkilpatrick@ostusa.com.

—–

W. Scott Montgomery

W. Scott Montgomery

W. Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott joined OST with over 30 years of IT and IT Security related experience. Scott has personally performed more than 1,000 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the ability to gather, analyze and assess the security of any organization.

 

Viruses and Malware: The Key to Avoiding Infection (Pt. 2)

8 Jun

antivirus-ost

The Three Most Common Venues of Infection

P2P Software

Peer-to-peer (P2P) software has a long, controversial history riddled with issues of misuse. While P2P software is not inherently bad, it is often used by individuals wishing to illegally acquire media (movies, music, other software) for free. As such, the type of person who uploads this pirated content to share with others often engages in other unethical practices, such as backdooring their uploads with viruses and malware. When you or someone in your organization uses P2P software to download pirated media, you put both your machine and environment at great risk. Using these types of software for illegitimate purposes is much akin to wandering down a dark alley in a bad part of town: you’re asking for trouble!

Solution: Avoid using P2P software entirely. As an IT administrator, prohibit its use within your organization.

Drive-by downloads

Drive-by download, like malware, is an umbrella term used to describe any type of situation where software is installed and the user is unaware of the software’s intent. This can happen a number of different ways. If you are browsing a shady website, the website may attempt to automatically and silently exploit third party applications used by your web browser to display content. Alternatively, you could visit a site that suggests you have a problem with your computer and that you need to download and install a cleaning tool to fix the problem. Both of these situations lead to an infection.

Solution: Keep your computers well patched with frequently updated applications like Adobe Flash. More importantly, avoid unscrupulous websites that may attempt to take advantage of your machine.

Infected email attachment

An increasingly popular method of distributing malware involves sending victims an infected email attachment. These are frequently sent out under the guise of an official, well-known organization and appear to have urgency requesting the victim’s attention. For example, you may receive an email appearing from UPS suggesting that you have an outstanding invoice that needs to be paid, with an attached PDF allegedly describing the charge. The PDF is actually infected, and opening it results in the compromise of your computer.

Solution: Utilize an effective spam filter to prevent the delivery of these types of emails. Additionally, learn how to spot spoofed and infected emails through an IT Security Awareness Training session from a reputable vendor.

IT Security is a global landscape that is constantly evolving. With increasing levels of connectivity, security events that happen on the other side of the planet can reach you in seconds. While there is no practical and sure-fire way to entirely eliminate the threat of malware infection, providing user education on infection venues and easy-to-learn solutions will significantly lessen the likelihood you and your organization run into problems.

For more information on malware, including outbreak containment, incident response, and risk assessment services please contact the OST Security Practice by emailing dkilpatrick@ostusa.com

—–

W. Scott Montgomery

W. Scott Montgomery

W. Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott joined OST with over 30 years of IT and IT Security related experience. Scott has personally performed more than 1,000 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the ability to gather, analyze and assess the security of any organization.

Viruses and Malware: The Key to Avoiding Infection

1 Jun

antivirus-ost

Nearly everyone has something installed on their computers to protect them from these types of threats. And with good reason – malicious programs are nearly as prevalent as antivirus installations. Black hat hackers (industry term for “the bad guys … we’re white hat hackers, the good guys!) are constantly working to create new ways to take advantage of PCs, both those used in a corporate setting and those used at home.

Computer viruses are technically a type of malware. One can acquire a virus through a multitude of ways. Once infection has been initiated, viruses generally quietly replicate themselves somewhere in the machine’s filesystem. Once they’ve replicated, they often perform some type of harmful activity. For example, a virus might provide an attacker complete control over your machine, just as though they were sitting in front of it. Alternatively, a virus might operate automatically and silently in the background, copying keystrokes and stealing sensitive data while sending it back to the person who infected you.

Malware is an umbrella category for any type of software that operates with an intent that is undesirable to the user or malicious. While viruses are a malware, there are many other kinds of malware. Have you ever had a toolbar that seemed to pop out of nowhere on your web browser, and then noticed that you were being shown loads of pop up advertisements? This is likely the result of an adware infection, a type of malware that displays unwanted advertisements and redirects your attempts to browse the web.

Clearly, these are infections we want to avoid!

The key to remaining malware free is in user-education. Antivirus and antimalware programs do work but they should not be relied upon. They can only offer so much protection. Hackers are constantly working to circumvent them. It’s a cat and mouse game that you don’t want to get caught in the middle of.

What do we mean by user education?

An understanding of how infections happen is critical. Users cannot protect themselves if they do not know which practices are unsafe. The vast majority of infections occur through just a handful of venues. In part two of this article, we’ll describe those venues and how to avoid them, keeping you and your organization safe.

—–

W. Scott Montgomery

W. Scott Montgomery

W. Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott joined OST with over 30 years of IT and IT Security related experience. Scott has personally performed more than 1,000 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the ability to gather, analyze and assess the security of any organization.

Top Ten Ways to Protect Our Children from Technology

19 Nov

Continue reading