Three steps to compliance for end-of-life systems
Each time a vendor terminates support for an operating system or solution, a broad spectrum of organisations are put at risk of failing to meet regulatory and compliance mandates.
These mandates involve high levels of security that legacy systems are not equipped to meet. Systems that solution vendors (and their integration partners) no longer support are particularly vulnerable because they no longer receive security patches from the maker.
Consider the Microsoft Windows family. Windows XP, W2K3, and most recently Windows XP Embedded, have gone end-of-life (EOL). Industry analysts expect this trend to continue during the next few years.
Regardless of how many devices are running or are connected to these unsupported systems, EOL systems should be a critical area of focus for compliance and risk professionals. There is substantial risk to any organisation that continues to operate them.
Often, these systems are running critical business functions and are in scope for many of the regulations that govern the security controls to ensure security (e.g., – PCI Data Security Standard). These systems can be easily infiltrated since they lack any type of patch management or effective antivirus/malware protection.
Here are three high-level steps compliance specialists should consider to help ensure proper compliance and security coverage on unsupported systems and applications:
1 – Long-term focus
It is essential to focus on the long term when assessing unsupported systems in order to disrupt the pattern of EOL-created risks. When scoping systems for security and compliance, aim to gain active insight. Point-in-time scanning and polling security solutions constantly miss threats and are typically only useful in identifying already known threats, not the stealthy attacks used by today's threat actors.
Security solutions that record activity in real time deliver both visibility and historical intelligence and provide a constant pulse on security and compliance posture. This is especially important for unsupported systems.
2 – Move to threat mitigation
This can be achieved by taking control and defending the gaps in security on EOL systems. Compliance and risk professionals can help disrupt the way attackers target unsupported systems by shifting the security strategy from passive, negative (only already known-bad files) security to active threat mitigation via policy. When systems go EOL, they no longer have security patches. As a result, vulnerabilities that have existed or are newly created on those systems won't be fixed by the maker.
Assessing systems using an enforcement policy that controls and monitors endpoints based on what's ‘allowed to happen' greatly enhances the ability to keep systems protected and compliant. Much of that enforcement policy can be driven by the regulatory and compliance policies that are set very early in the business cycle.
Technologies such as application control and next-generation whitelisting (mixed with active security monitoring) are popular tools that can place unsupported systems into enforced postures.
3 – Utilise available knowledge
Leveraging the wealth of threat knowledge available within the security community and uniting security risk policy on EOL systems is critically important.
Regulatory, compliance, and security communities (as well as the extended business community) have a wealth of threat intelligence. Hackers and attackers are prolific at sharing knowledge and attack expertise within their own communities, so it is imperative for shared business communities to collaborate to offset this advantage.
For unsupported systems, continuous compliance is the most critical way to ensure that systems are in check and protected. All professionals should take advantage of sharing and consuming the various threat intelligence feeds available to gain further insight on vulnerable systems.
Artile by Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black