Story image

Three steps to compliance for end-of-life systems

03 May 2016

Each time a vendor terminates support for an operating system or solution, a broad spectrum of organisations are put at risk of failing to meet regulatory and compliance mandates.

These mandates involve high levels of security that legacy systems are not equipped to meet. Systems that solution vendors (and their integration partners) no longer support are particularly vulnerable because they no longer receive security patches from the maker.

Consider the Microsoft Windows family. Windows XP, W2K3, and most recently Windows XP Embedded, have gone end-of-life (EOL). Industry analysts expect this trend to continue during the next few years.

Regardless of how many devices are running or are connected to these unsupported systems, EOL systems should be a critical area of focus for compliance and risk professionals. There is substantial risk to any organisation that continues to operate them.

Often, these systems are running critical business functions and are in scope for many of the regulations that govern the security controls to ensure security (e.g., – PCI Data Security Standard). These systems can be easily infiltrated since they lack any type of patch management or effective antivirus/malware protection.

Here are three high-level steps compliance specialists should consider to help ensure proper compliance and security coverage on unsupported systems and applications:

1 – Long-term focus

It is essential to focus on the long term when assessing unsupported systems in order to disrupt the pattern of EOL-created risks. When scoping systems for security and compliance, aim to gain active insight. Point-in-time scanning and polling security solutions constantly miss threats and are typically only useful in identifying already known threats, not the stealthy attacks used by today’s threat actors.

Security solutions that record activity in real time deliver both visibility and historical intelligence and provide a constant pulse on security and compliance posture. This is especially important for unsupported systems.

2 – Move to threat mitigation

This can be achieved by taking control and defending the gaps in security on EOL systems. Compliance and risk professionals can help disrupt the way attackers target unsupported systems by shifting the security strategy from passive, negative (only already known-bad files) security to active threat mitigation via policy. When systems go EOL, they no longer have security patches. As a result, vulnerabilities that have existed or are newly created on those systems won’t be fixed by the maker.

Assessing systems using an enforcement policy that controls and monitors endpoints based on what’s ‘allowed to happen’ greatly enhances the ability to keep systems protected and compliant. Much of that enforcement policy can be driven by the regulatory and compliance policies that are set very early in the business cycle. 

Technologies such as application control and next-generation whitelisting (mixed with active security monitoring) are popular tools that can place unsupported systems into enforced postures.

3 – Utilise available knowledge

Leveraging the wealth of threat knowledge available within the security community and uniting security risk policy on EOL systems is critically important.

Regulatory, compliance, and security communities (as well as the extended business community) have a wealth of threat intelligence. Hackers and attackers are prolific at sharing knowledge and attack expertise within their own communities, so it is imperative for shared business communities to collaborate to offset this advantage.

For unsupported systems, continuous compliance is the most critical way to ensure that systems are in check and protected.  All professionals should take advantage of sharing and consuming the various threat intelligence feeds available to gain further insight on vulnerable systems.

Artile by Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Poly appoints new A/NZ managing director, Andy Hurt
“We’re excited to be bringing together two established pioneers in audio and video technology to be moving forward and one business – Poly."