Why It’s Time to Retire Legacy Software
If your organization’s software vendor doesn’t anymore issue software updates, patches and other forms of support, then what your organization has is a legacy software.
What is a Legacy Software?
The phrase “legacy software” is used to describe a software or computer program that’s outdated or obsolete. A software can be considered as outdated or obsolete by reason of the number of years the software has been used, for instance, for more than 2 decades.
Another reason a software is considered as obsolete or outdated is when it has reached its end of life (EOL) and end of support (EOS).
“EOL occurs when the software is retired, although the vendor/manufacture can (and generally does) continue to support the software until the EOS date,” the Center for Internet Security (CIS)said. The software’s end of support or EOS, meanwhile, happens “when software updates, patches, and other forms of support are no longer offered”, the CIS said.
Here are the top 3 reasons why your organization needs to say goodbye to legacy software:
1. Cyberattacks
The absence of security updates and patches expose your organization’s legacy software to malicious software (malware). Cybercriminals are always looking for ways to exploit the security vulnerabilities in older, unsupported software.
2. Cryptocurrency Mining Attack
According to security researchers at Cisco, malicious actors are turning to illicit cryptocurrency mining as majority of the victims hardly notice it. Cryptocurrency mining, they said, is the polar opposite of ransomware, as it hides from the computer owners for as long as possible. “The longer the user doesn’t notice the miner running the larger potential payout for the activity,” Cisco researchers said.
The negative effects of cryptocurrency mining malware planted in your organization’s computers include slow performance, short lifespan and increase in electricity consumption.
In September 2017, security researchers at ESET reported that cybercriminals made more US$63,000 by planting the cryptocurrency mining code of Monero into the victims’ computers without their consent and without giving them monetary compensation.
The attackers were able to stealthily plant the cryptocurrency mining code into the victims’ computers by exploiting the known security vulnerability called CVE-2017-7269in Microsoft IIS 6.0 within Windows Server 2003. The software vendor of Windows Server 2003, Microsoft, hasn’t acknowledged this security vulnerability nor has it issued a security update to fix this vulnerability.
Windows Server 2003 is an example of a legacy software. Microsoft ended its support on Windows Server 2003 on July 14, 2015. As a result of this end of support, Microsoft no longer issues security updates and patches that help protect servers from harmful viruses, spyware and other malware. Microsoft also no longer provides assisted technical support and content updates for this software.
3. Ransomware
In May 2017, files on hundreds of thousands of computers worldwide couldn’t be accessed as the files were encrypted. Even the perpetrators themselves couldn’t decrypt or unlock the files despite paying ransom as the software code was written in such a way that the files can’t be decrypted. That May 2017 cyberattack is called WannaCry. The WannaCry cyberattack showed the danger of using legacy software.
WannaCry exploited the vulnerability in Microsoft Windows SMB server, a security vulnerability that allows attackers to enable remote code execution by sending specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server like launching the WannaCry malware.
Nearly 2 months prior to the May 2017 WannaCry attack, Microsoft issued a security update fixing the vulnerability exploited by WannaCry for their supported software. The company, however, didn’t issue a security update for legacy software, including Windows XP and Windows Server 2003. Microsoft ended its support for Windows XP on April 8, 2014. The company ended its support on Windows Server 2003 on July 14, 2015.
4. Legal Issues
On January 19, 2017, the Ontario Securities Commission, British Columbia Securities Commission and Autorité des Marchés Financiers (Canada) published the CSA Multilateral Staff Notice 51-347, requiring disclosure of cybersecurity risks and incidents.
The disclosure requirement mandates Canadian businesses to disclose “reasons they may be exposed to a cyber security breach, the source and nature of the risks, the potential consequences of a cyber security breach, the adequacy of preventative measures as well as a consideration of prior material cyber security incidents and their effects on the issuer’s cyber security risk.”
There’s also that looming enforcement date of the General Data Protection Regulation (GDPR) this coming May 25, 2018. GDPR requires both EU and non EU-based businesses that process personal data of EU residents to practice “privacy by design” and disclose data breaches.
Privacy by design requires businesses to include data protection from the onset of the designing of systems, instead of just an addition. Under GDPR, businesses are required to report data breaches within 72 hours of first having become aware of the breach. Organizations in breach of GDPR can be fined of up to €20 million or 4% of annual global turnover, whichever is higher.
Although the implementation date of Canada’s Digital Privacy Act is still not set, the implementation of this Canadian law will require organizations to disclose data breach as failure to do could result in fines of up to $100,000.
5. Business Issues
Disruptions due to cyberattacks could adversely affect your business. According to the CSA Multilateral Staff Notice 51-347, cybersecurity incident could result in the following:
- Compromising of confidential customer or employee information
- Unauthorized access to proprietary or sensitive information
- Destruction or corruption of data
- Lost revenues due to a disruption of activities, incurring of remediation costs
- Reputational harm affecting customer and investor confidence
- Diminished competitive advantage and negative impacts on future opportunities
- Operational delays, such as production downtimes
- Inability to manage the supply chain
- Inability to process customer transactions or otherwise service customers
- Disruptions to inventory management
- Loss of data from research and development activities
- Devaluation of intellectual property
At GenX, we offer IT services, including installing newer and up-to-date software to replace your organization’s legacy software.