On December 16, 2020, Accellion FTA, a 20-year-old file transfer device, became the focus of media attention by reporting the now infamous zero-day vulnerability. The patch was released quickly in the second half of the month, and further investigations were conducted, which resulted in a further release of the patch within the next 60 days. Although Accellion has promoted the awareness of zero-day exploits, there are still more than 300 known victims falling into the vulnerability.
Large enterprise groups are no exception. The energy giant Royal Dutch Shell is just a large example. Despite having a wealth of knowledge in public cases in December and January, the oil and gas company discovered that it was affected by a third-party vulnerability and reported the vulnerability on March 16, 2021, which happened to be the first time. Three months after the exploit. The oil giant became another victim of the same mistake: allowing legacy systems to take root in the corporate IT infrastructure.
What makes the old version of IT risky?
What makes the system “traditional”? This is not only the age of the machine or equipment, but also the use and disposal of the machine-any improperly managed or forgotten system will bring complexity, which risks pushing vulnerabilities into a larger IT environment. The key component of the legacy system is the introduction of “inheritance problems”, that is, knowledge about the organization will be lost or recorded “somewhere” outside of the organization’s normal channels and tools.
Even outside of IT, it is often easy to find examples of frequently used, outdated, poorly managed or poorly maintained systems. Whether it’s a CT scanner used by dozens of doctors and nurses, or an old-style human-machine interface that has been monitoring the operation of turbines in the same power plant for many years, it is for organizations that rely on a given tool or software with little knowledge. Very common. Who is responsible for maintenance and maintenance.
Even in the case of maintaining old tools in operations, the gap between operational technology (OT) maintenance and IT maintenance in key areas such as energy, healthcare, and transportation may lead to risk exposure. Traditional systems are usually maintained only to ensure functionality, and their operations are usually digitized using upgraded Internet of Things (IoT) functions, with the sole purpose of achieving operability. OT maintenance may not be able to consider IT and network security perspectives, trying to make changes to improve systems without questioning whether those systems remain secure. Although these old systems seem to be helpful after many years of use, the prolonged exposure of network systems to these old devices has proven this familiar adage time and time again: What might go wrong will go wrong.
To determine whether an aspect of the infrastructure is traditional, ask yourself:
- Who installed the system?
- Why install it in the first place?
- What is it for?
- Who maintains it or is responsible for it?
Shadow IT increases the threat of traditional technology
As the company arranges the first step after the pandemic to return to the office or mixed workflow, the threat posed by the old system is greater than ever. To some extent, this is due to the legacy of shadow IT, the introduction of shadow IT is the introduction of systems or equipment without the explicit approval of the IT department. Quickly moving to work at home is likely to lead to increased exposure of shadow IT, attack surface, and related vulnerabilities.
Large companies like Shell have proven time and time again that they are vulnerable to these attack vectors, but they may not need to be as concerned about shadow IT as their mid-sized counterparts. Although a large staff size may increase the likelihood of mismanagement, large companies are also more likely to have appropriate systems and audits to manage their environment and control changes. Many medium-sized enterprises and enterprises may not be aware of the weaknesses of their systems, which expose them to the risks of shadow IT.
Minimize the risks of traditional IT and shadow IT
How can companies prevent the proliferation of legacy or shadow IT? The only solution is the correct management of all aspects of IT. Companies must plan based on scale and create a management hierarchy to ensure that the absence or retirement of one (or several) key employees does not cause an attack on the system. Training IT personnel to share and divide responsibilities can help establish a healthy, agile management hierarchy, which includes non-IT departments’ responsibilities for the systems they use. This allows the IT team to take proactive actions so that even if vulnerable systems cannot be patched or updated, compensation controls can be set.
In order to develop this responsive IT management hierarchy, IT administrators should use tools that enable them to understand all aspects of their environment and track and subsequently control any changes made to the system. Doing so is not only essential for achieving and maintaining operational resilience, protecting the company from hacker attacks and even ransomware attacks, but also preparing the company for development and secure expansion of digitalization.
Dirk Schrader is a German and has more than 25 years of experience in providing IT expertise and product management on a global scale. His work focuses on improving cyber resilience as a complex new method to solve cyber attacks faced by governments and corporate organizations.