It's a story we've heard time and time again: government agencies are running legacy, unsupported, and unpatched operating systems.
This time the culprit was 10 of South Australia's most critical government agencies, who were outed as having 226 agency servers still on Windows Server 2003 and five servers running Windows Server 2000.
These tales of woe are as old as time: in government agencies, legacy systems are rife, with unpatched operating systems and applications, while risk management has apparently been thrown to the wayside and basic security hygiene measures have not been employed.
Why does this keep happening?
It'll be no surprise that decisions are usually based on the trade-off between money (redevelopment costs of bespoke applications), user experience, and security.
But risk often gets overlooked in the shadow of available cash and user experience, especially when the organisation in question is undergoing a transformation involving all the buzzwords.
It can mean if your security requirements are not related to these transformative initiatives, your pleadings will likely be ignored.
The cloud will not help you redevelop your legacy application and it certainly won’t patch old operating systems for you. Virtualising Windows Server 2000 systems into a tightly managed, modern virtual cloud infrastructure will still see those servers vulnerable to Shellshock like any other unpatched system, but now you also need a way of managing the general risk from running in a public cloud where you have lost some aspects of the control you used to have.
The worst offender in the SA auditor-general’s report had 71 legacy servers. Executives from that unnamed agency have said they were working to decommission these out-of-date systems, which is certainly a good thing.
But some of the operating systems have gone more than six years without a single security patch (Windows Server 2000 went out of support in 2010), meaning these guys have been running high-risk vulnerable servers for over half a decade. In what world is that acceptable?”
There's not really an excuse for not addressing these risks - there are plenty of stop-gap solutions you can employ until you're able to work out how to fix the root cause. For starters, application whitelisting, while difficult to do well, will help stop unwanted or malicious code executing on your systems.
This is one of the best security controls you can apply to a legacy system: since it’s not being patched very often, it means the stable operating system platform can be tightly locked down to ensure no one can install malicious software.
Secondly, you can lock the system down so that only necessary ports and protocols are exposed to the network (turning off any services that are not required).
Thirdly, crank up the auditing and logging to comprehensively collect all the successes and failures reported by the operating systems, especially those related to the kinds of attacks you are concerned about for that server. The logs should be sent to a SIEM or, if you outsource security to a managed security services provider, work with them to start ingesting and alerting on attack patterns for those at-risk servers.
You cannot reduce risk by simply ignoring it and hoping for the best. More and more Australian organisations are being successfully targeted.
If you don’t have security risk management in your budget this year, then consider scrapping one of your other projects and add it in. This is a clear and present danger and everyone is at risk.
Take the necessary steps before it's too late to save yourself from the embarrassment of these kinds of audit reports or, more seriously, the potential breaches that could see you lose your company's data and your job.