DOCSLIB.ORG

Isolation of Legacy Systems a View on Security Concerns for Non-Isolated Legacy Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Isolation of Legacy Systems a View on Security Concerns for Non-Isolated Legacy Systems Isolation of Legacy Systems A View on Security Concerns for Non-Isolated Legacy Systems Autors Christoph Falta and Christoph Mahrl Version 1.0 Date 05. November 2015 1. Introduction Legacy systems, a term for out-of-date methods, technologies, computer systems or applications, are considered problematic as continued use of such systems often imply security relevant issues and might therefore impact enterprise operations. Nevertheless there are possibly compelling reasons for keeping a legacy system that have to be taken into account. These include: Costs of migration and redesign of new system High availability requirements of legacy systems Lack of understanding and documentation of the old system to redesign a new one Lack of vendor support to migrate the legacy system to a new platform Stability concerns of a new system The legacy system already runs satisfactorily Generally the use of legacy systems is potentially dangerous. Older operating systems or applications may contain vulnerabilities, since the lack of proper security patches being available or applied is putting these systems at risk of being compromised. Enterprises should always take this riskiness into account as cyber-crime is an increasingly and ongoing topic confirmed by the following surveys and reports: In 2014 T-Systems1 reported that about 92% of enterprises in Austria expected cyber- crime incidents, 14% reported about daily attacks. According to PWC2 about 90% of large organizations had suffered a security breach in 2015, while nearly three quarters of small organizations reported a security breach. A survey of BITKOM 3 stated, that over 50% of German companies fell victim to espionage, sabotage or data theft attacks in 2015. Kaspersky4 reported in 2014 that 94% of companies encountered an external security incident over the last 12 months and 87% had to deal with an internal security issue. This whitepaper therefore discusses proactive and reactive security measures that can be implemented in order to mitigate risks exposed by legacy systems. It is intended for organizations where immediate migration is not an option 1 Cyber-Security Report 2014, T-Systems, 2014 2 Information Security Breaches Survey, PWC, 2015 3 Digitale Wirtschaftsspionage, Sabotage und Datendiebstahl 2015, BITKOM, 2015 4 IT Security Risks Survey 2014, Kaspersky, 2014 2 2. Management Summary This whitepaper discusses proactive and reactive security measures that can be implemented in order to mitigate risks exposed by legacy systems. It is intended for organizations where immediate migration is not an option, therefore, the discussed techniques aim at providing secure and cost-efficient countermeasures. In general, two kinds of countermeasures are discussed in this whitepaper: proactive and reactive. Proactive security measures are designed to harden a legacy system against attacks in order to either reduce the impact of a successful attack or prevent the attack at all. Reactive security measures provide the necessary tools to correctly detect, respond and recover from an attack in an efficient and coordinated way. Figure 1 – Proactive and reactive countermeasures The protection of legacy systems is a challenging process and it is inevitable to address it as a continuous process and not as a task or a project that has a fixed end date. Therefore it is of essence to not only implement technical countermeasures but also to put in place a vulnerability management process that tightly integrates with existing risk assessment strategies and allows to continuously monitor existing legacy systems and quickly adapt in case of new threats. When designing countermeasures and overall security strategies for legacy systems, new vulnerabilities continuously arise. Preparation for change, is a key component to success. 3 3. Proactive Security The value of a proactive approach to prevent malware and other types of attacks before actual expensive damage will occur is indispensable for organizations. Security does not begin with the detection of an attacker inside the network, which does not mean that reactive measures are unnecessary. But in order to avoid compromising in advance, a proactive scheme will play a critical role for good organization’s cyber defense. 3.1 Secure Network Engineering Minimizing opportunities for attackers begins with properly securing the network environment. A key component in secure network engineering is the physical and / or logical separation of IT-systems in different network zones, each with its certain kind of purpose. On this basis, network traffic is filtered between these segments and boundary defense solutions like firewalls and proxies ensure a controlled network flow through network borders and segments, only allowing specific traffic based on the “Least- Privilege” principle. 3.1.1 Network Segmentation An elaborate design and implementation of a network where the network environment is separated in different zones, each meeting certain security requirements, is very important. A minimum of a three-tier architecture is recommended (DMZ, middleware and private network), to have a more granular control of system access and additional boundary defenses. The general purpose of network segmentation using dedicated zones, each may consisting of one or more network segments, is to control what systems and services should be reachable depending on the segment you are in. This ensures that if a system is compromised an attacker is restricted to the policy that is applied to the part of network the system belongs to. Examples of zones usually deployed are: Public domain and guest zone External server zone / Demilitarized zone (DMZ) Internal server zone Internal client zone Internal system management zone In order to sustain network security an adequate segmentation on all relevant layers of the OSI model is necessary. Network security measures are applied on OSI layers 1 to 4, since security of layers 5 to 7 is application-dependent. On different OSI layers, different kind of segmentation techniques are applied: Physical Layer On layer 1 network access is physically separated by using dedicated hardware such as switches, access points, etc. and it is recommended if possible and economically feasible to isolate critical services from each other. 4 Data Link Layer On layer 2 logical separation of a physical network in different VLANs takes place. Each network segment will be assigned a dedicated VLAN to ensure proper separation of responsibilities. Network Layer and Transport Layer On layer 3 and 4 network traffic is filtered between zones and different networks by using various types of boundary defense appliances (see 3.1.2 Boundary Defense). 3.1.2 Boundary Defense Systems that are reachable across the Internet are at risk, as attackers use these systems as primary targets to get initial access into an organization. This includes DMZ systems, workstations, laptop computers etc. that interact with other systems in the Internet through network boundaries. Weaknesses in configuration and / or architectural implementation of perimeter appliances and network devices are the most common reason how attackers gain access into an organization. Once attackers has these systems at their command, they often manage to extend their access inside the target network. Eventually attackers will steal or change information and / or prepare a persistent presence for later attacks, in the worst case without anyone knowing for months or years. To reduce the chance of a successful attack the flow of traffic through network boundaries has to be controlled thoroughly looking for restricted and suspicious traffic, such as botnet communication, internal attacks or evidence of compromised machines. It is recommended to implement boundary defense at multiple layers within the network, relying on firewalls, proxies and network-based IDS/IPS to filter inbound and outbound traffic: Boundary defense o Boundary defense appliances should not only defend an organization’s perimeter but all network segments including internal boundaries like . external / internal server zones . client zones Firewall o Firewalls ensure that only explicitly allowed traffic (according to the “Least-Privilege”-Principle) to systems, services or ports are allowed. o Not explicitly allowed traffic should be denied per default. o Network flow is further minimized by using blacklists containing malicious IP addresses that are filtered throughout the corporate network. Application Firewall o In front of every critical server a dedicated application firewall is recommended as it additionally validates and verifies traffic from and to the server filtering non-authorized traffic. Proxy o The communication between DMZ systems and private networks should occur over application proxies to prevent direct access to internal networks and mitigate security risks. 5 IDS/IPS o Malicious activities and intrusive network behavior is detected and filtered by network-based IDS/IPS and is highly recommended in order to contain potential damage. o Breach Detection Systems (BDS), incorporating IDS/IPS technology, could be used instead to not only check if traffic but also if transported files and executables are malicious (see chapter 3.3 Breach Detection and Prevention). 3.2 System Hardening Hardening is one of the most important aspects of system security, since it offers a very flexible approach that can help to prevent or slow down various attack vectors. However, due to its complex and time-consuming nature, hardening
Load more

Recommended publications
  • Software Evolution Objectives
    Software evolution Objectives To explain why change is inevitable if software systems are to remain useful To discuss software maintenance and maintenance cost factors To describe the processes involved in software evolution To discuss an approach to assessing evolution strategies for legacy systems Topics covered Program evolution dynamics Software maintenance Evolution processes Legacy system evolution Software change Software change is inevitable New requirements emerge when the software is used The business environment changes Errors must be repaired New computers and equipment is added to the system The performance or reliability of the system may have to be improved A key problem for organisations is implementing and managing change to their existing software systems Importance of evolution Organisations have huge investments in their software systems - they are critical business assets To maintain the value of these assets to the business, they must be changed and updated The majority of the software budget in large companies is devoted to evolving existing software rather than developing new software Spiral model of evolution Program evolution dynamics Program evolution dynamics is the study of the processes of system change After major empirical studies, Lehman and Belady proposed that there were a number of ‘laws’ which applied to all systems as they evolved There are sensible observations rather than laws. They are applicable to large systems developed by large organisations. Perhaps less applicable in other cases Lehman’s laws Law Description Continuing change A program that is used in a real-world environment necessarily must change or become progressively less useful in that environment. Increasing complexity As an evolving program changes, its structure tends to become more complex.
    [Show full text]
  • Software Evolution of Legacy Systems a Case Study of Soft-Migration
    Software Evolution of Legacy Systems A Case Study of Soft-migration Andreas Furnweger,¨ Martin Auer and Stefan Biffl Vienna University of Technology, Inst. of Software Technology and Interactive Systems, Vienna, Austria Keywords: Software Evolution, Migration, Legacy Systems. Abstract: Software ages. It does so in relation to surrounding software components: as those are updated and modern- ized, static software becomes evermore outdated relative to them. Such legacy systems are either tried to be kept alive, or they are updated themselves, e.g., by re-factoring or porting—they evolve. Both approaches carry risks as well as maintenance cost profiles. In this paper, we give an overview of software evolution types and drivers; we outline costs and benefits of various evolution approaches; and we present tools and frameworks to facilitate so-called “soft” migration approaches. Finally, we describe a case study of an actual platform migration, along with pitfalls and lessons learned. This paper thus aims to give software practitioners—both resource-allocating managers and choice-weighing engineers—a general framework with which to tackle soft- ware evolution and a specific evolution case study in a frequently-encountered Java-based setup. 1 INTRODUCTION tainability. We look into different aspects of software maintenance and show that the classic meaning of Software development is still a fast-changing environ- maintenance as some final development phase after ment, driven by new and evolving hardware, oper- software delivery is outdated—instead, it is best seen ating systems, frameworks, programming languages, as an ongoing effort. We also discuss program porta- and user interfaces. While this seemingly constant bility with a specific focus on porting source code.
    [Show full text]
  • A Technique for Legacy System Re-Engineering
    International Journal of Management and Applied Science, ISSN: 2394-7926 Volume-2, Issue-12, Special Issue-1, Dec.-2016 INFORMATION SYSTEM INTEGRATION: A TECHNIQUE FOR LEGACY SYSTEM RE-ENGINEERING EMOKPAE OSATOHANMWEN Dept of Computer Engineering, Institute of Opencast Mining and Technology. Agbor Road Benin City, Nigeria. E-mail:[email protected] Abstract - Many organizations are still faced with the problems of converting applications written in legacy compilers such as COBOL, PASCAL ANS FORTRAN etc. into internet compliant applications. This has become necessary because most internet-based applications are written in C++, Java and Ms.Net. The objective of this paper is to show how information system integration can aid in the forward engineering of legacy system. Software re-engineering covers the examination and alteration of legacy system in order to rebuild it according to modem software engineering methods and technologies in a forward engineering process. Information system integration provides a means for both understanding and capturing about the application and its domain and re-developing the system based on change requirement. Information system integration helps to rebuild any legacy by adopting modern software engineering principles, methods and technologies, which allows systems to architecture engineers over the years have devises many modernization techniques. This paper evaluates the use of information system integration as a veritable technique for transformation of legacy system. Keywords - COBOL, PASCAL, FORTRANS, C++,Java Ms.Net etc I. INTRODUCTION streamlining business processes to the software used. There are five levels of integrating information Many organizations are still faced with the problem system, which include data, data management, of converting applications written in Legacy middleware, application and user interface (Bizer, compilers such as COBOL, Pascal and FORTRAN 2003).
    [Show full text]
  • The 2020 Guide to Legacy System Innovation
    The 2020 Guide to Legacy System Innovation Legacy Systems The Keys A New Freedom for 2 APIs 4 6 8 Meet the to Freedom Approach to the Future 21st Century Modernization. The 2020 Guide to Legacy System Innovation Legacy Systems Meet the 21st Century egacy systems running on mainframe computers are at the heart of our economy – and our society. L They are an essential part of our tax systems, our social services, and our public safety. They also run the stock market, our financial institutions, ATMs, transportation systems and utility grids. In fact, we use them all the time and likely don’t even know it. For state and local governments, these legacy systems are a mixed blessing. On the one hand, they have provided extraordinary reliability. They’ve proved themselves with successful track records of 20, 30, or APIs even 40 years. On the other hand, they are rigid, and some would even say fragile, closed and expensive to maintain. Making changes to a legacy system is costly, risky, and prone to failure. Also, legacy systems are by nature siloed systems that keep their data locked inside where it’s safe, but inaccessible. As one senior public sector IT executive put it, “I feel like my data is in jail.” For decades, agencies have been looking for freedom include day-to-day operations, staffing, responding to from legacy systems—a way off of their existing systems. pressure for innovation from elected officials, application Software AG offers a better, stronger alternative: the users and citizens themselves, and complying with Freedom for Legacy solution.
    [Show full text]
  • Impact Analysis of Legacy System Migration to the Cloud Environment: a Focused Study
    ISSN 2278-3091 Volume 9, No.1, January – February 2020 H. SeetharamaTantry et al., International Journal of Advanced Trends in Computer Science and Engineering, 9(1), January – February 2020, 134 – 141 International Journal of Advanced Trends in Computer Science and Engineering Available Online at http://www.warse.org/IJATCSE/static/pdf/file/ijatcse21912020.pdf https://doi.org/10.30534/ijatcse/2020/21912020 Impact Analysis of Legacy System Migration to the Cloud Environment: A Focused Study H. SeetharamaTantry1, Murulidhar N.N2., K. Chandrasekaran3 1 Department of Mathematics & Computational Sciences, National Institute of Technology Karnataka, Surathkal, India, e-mail: [email protected] 2 Department of Mathematics & Computational Sciences, National Institute of Technology Karnataka, Surathkal, India, e-mail: [email protected] 3 Department of Computer Science and Engineering, National Institute of Technology Karnataka, Surathkal, India, e-mail: [email protected] ABSTRACT creating, and recycling the software modules and platforms when expected maintenance follow-ups can never again Although “Legacy System” frameworks are frequently accomplish the ideal framework properties. The essential worked over numerous years by a blend of IT and business point of software modernization [1] is to decrease support specialists. They stay inflexible inside the authoritative cost and increase adaptability. The majority of these setting and business speculation made by practical frameworks were created years back and have kept on applications. Semantic Design provides highly automated advancing. New necessities have repeated changes on these tools and services to migrate legacy system to a new legacy system bringing about unstructured source code that platform. The proposed migration of the legacy software life is hard to keep up.
    [Show full text]
  • Enterprise Application Integration Using Service Oriented Architecture with Generic Pattern
    International Journal of Current Engineering and Technology E-ISSN 2277 – 4106, P-ISSN 2347 - 5161 ® ©2014 INPRESSCO , All Rights Reserved Available at http://inpressco.com/category/ijcet Research Article Enterprise Application Integration using Service Oriented Architecture with Generic Pattern Nilesh Vishwasrao PatilȦ*, M. C. KshirsagarȦ and P. C. JaypalȦ ȦVishwbharati Academy College of Engineering, Ahmednagar, Pune University Accepted 01 Oct 2014, Available online 10 Oct 2014, Vol.4, No.5 (Oct 2014) Abstract Nowadays the computer world is almost migrating from the tightly coupled architecture to loosely coupled architecture directly or indirectly. There are many intentions of Enterprise Application Integration in the organizations to achieved desired functions. The main objective of the Enterprise Application Integration is to implement integration layer between heterogeneous and/or homogeneous systems using Service Oriented Architecture in the direction of achieving the loosely coupled architecture. The integration architecture we have today is very limited and need to improve it as agile as possible. The reusability is not the new thing for software industry; it has been playing the crucial part in the software life cycle development process from last decade. Software industry has achieved the powerful accomplishment in throughput and preeminence because of reusability in software development process instead of creating same thing again and again. In this paper, we will discuss about Enterprise Application Integration using Service Oriented Architecture for achieving loosely coupled architecture directly or indirectly with the help of Web Services or Messaging Queue services. Keywords: SOA: Service Oriented Architecture, WS: Web services, WSDL: Web Service Description/Definition Language, W-SOA: Web Service Oriented Architecture, ESB: Enterprise Service Bus.
    [Show full text]
  • Addressing Software Related Issues on Legacy Systems – a Review
    INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 03, MARCH 2020 ISSN 2277-8616 Addressing Software Related Issues On Legacy Systems – A Review Mubashir Ali, Shahzad Hussain, Mahmood Ashraf, Mahnoor Khalid Paracha Abstract: In current technological era, organizations and systems are moving towards automation. Software development always played a sensitive role and software maintenance continually bring challenges for developers. The problem of legacy systems is continuously travels with time. Technologically outdated software or computer systems are known as legacy systems. While software or system development, whatever technique or technology adopted by developers, current developed systems will be the legacy of future. Due to constant advancement in computing, legacy systems are not supporting the technologically updated software. Replacing or updating legacy systems and development of requirement oriented new systems as substitute brings many challenges like budget, time, data movement, training etc. Most of the small level and middle level companies are not able to face these challenges. This paper will conduct an extensive review to highlight the software related issues and their respective solution on legacy systems. The old legacy systems will be used with technologically updated software to fulfill the current requirements. This solution made the scope wider by reusing the available system, refining it with latest features, providing architecture of updated software installation and maintenance that reduce
    [Show full text]
  • Mitigating Cyber Security Risks in Legacy Process Control Systems
    Process Solutions White Paper Mitigating Cyber Security Risks in Legacy Process Control Systems Executive Summary The term “legacy process control system” has different connotations for different people. To many, it refers to proprietary systems from a past era. To others, the term may imply the new generation DCS that have been founded on open technology, or systems using no-longer-supported Microsoft operating systems. These systems have fundamentally different architectures and present different risks. The continuous evolution of the DCS enabled organizations to protect the investment in equipment and control strategies over long periods of time. However, interfacing decades- old controllers with current technology also makes this equipment indirectly vulnerable to attack. All these systems have one common denominator: they experience gaps in support. This makes them more vulnerable than contemporary systems. This white paper will discuss various techniques for protecting legacy systems, the problems surrounding these techniques, and new methods for analyzing security. Mitigating Cyber Security Risks in Legacy Process Control 2 Systems Table of Contents Introduction ..................................................................................................................................................................................................... 3 How to Prevent or Delay a System from Becoming a Legacy System ................................................................................................... 4 Prevention
    [Show full text]
  • Administering Evergreen Through the Command Line Documentation Interest Group Administering Evergreen Through the Command Line Documentation Interest Group
    Administering Evergreen through the Command Line Documentation Interest Group Administering Evergreen through the Command Line Documentation Interest Group Report errors in this documentation using Launchpad. Table of Contents I. Introduction ............................................................................................................................................................. 7 1. About This Documentation ............................................................................................................................... 9 2. About Evergreen ............................................................................................................................................ 10 II. Installing Evergreen ............................................................................................................................................... 11 3. System Requirements ..................................................................................................................................... 14 Server Minimum Requirements .................................................................................................................... 14 Web Client Requirements ........................................................................................................................... 14 Staff Client Requirements ........................................................................................................................... 14 4. Installing the Evergreen server ........................................................................................................................
    [Show full text]
  • Legacy Systems Management Needs Improvement
    TREASUR Y INSPECTOR GENERAL FOR TAX ADMINISTRATION Legacy Systems Management Needs Improvement August 19, 2020 Reference Number: 2020-20-044 [email protected] | www.treasury.gov/tigta | 202-622-6500 This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document. 1 To report fraud, waste, or abuse, please call us at 1-800-366-4484 HIGHLIGHTS: Legacy Systems Management Needs Improvement Final Audit Report issued on August 19, 2020 Reference Number 2020-20-044 Why TIGTA Did This Audit What TIGTA Found This audit was initiated to assess The IRS has not developed specific or long-term plans to address the IRS’s efforts to identify and updating, replacing, or retiring most of its legacy systems. Through replace its legacy systems. various initiatives, the IRS identified 45 systems for modernization or candidates for modernization and 34 systems for retirement. Impact on Taxpayers While various business units and functions have differing definitions Legacy systems are critical for of a legacy system, the IRS does not have an enterprise-wide many organizations because definition or a complete and accurate inventory of legacy systems. By they support key mission applying the Information Technology organization’s definition of a functionalities. However, they legacy system to the As-Built Architecture (ABA) as of April 29, 2020, can also carry significant risks, TIGTA determined that 288 (43 percent) of the 669 systems in the including increased cybersecurity IRS’s production environment had missing information that prevented threats and maintenance costs.
    [Show full text]
  • Microsoft Windows "Chicago"
    Microsoft Windows ‘‘Chicago’’ Reviewer’s Guide Beta-1 The information discussed in this guide is based on features and functionality present either in the Beta-1 release of Chicago, or planned for a future release. The discussion of Chicago herein, does not represent a commitment on the part of Microsoft for providing or shipping the features and functionality discussed in the final retail product offerings of Chicago. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Table of Contents INTRODUCTION ....................................................1 Welcome ..................................................................................1 Chicago Mission......................................................................1 Where We’ve Been.................................................................................................1 Where We Are Today.............................................................................................1 Where We’re Headed .............................................................................................2 How We Get There.................................................................................................3 A Quick Preview of Chicago’s Top Features ........................4 Even Easier.............................................................................................................4 Faster and More Powerful ......................................................................................5
    [Show full text]
  • Challenges and Success Factors in the Migration of Legacy Systems to Service Oriented Architecture (SOA)
    School of Technology Department of Computer Science Master Thesis Project 30p, Spring 2014 Challenges and success factors in the migration of legacy systems to Service Oriented Architecture (SOA) By Nataliya Vlizko Supervisor: Annabella Loconsole Examiner: Paul Davidsson Abstract Service-Oriented Architecture (SOA) provides a standards-based conceptual framework for flexible and adaptive systems and has become widely used in the recent years because of it. The number of legacy systems has already been migrated to this platform. As there are still many systems under consideration of such migration, we found it relevant to share the existing experience of SOA migration and highlight challenges that companies meet while adopting SOA. As not all of these migrations were successful, we also look into factors that have influence on the success of SOA projects. The research is based on two methods: a literature review and a survey. The results of the thesis include identification and quantitative analysis of the challenges and success factors of SOA projects. We also compare the survey results for different samples (based on the company industry, work area, size, and respondents experience with SOA and respondents job positions). In total, 13 SOA challenges and 18 SOA success factors were identified, analyzed and discussed in this thesis. Based on the survey results, there are three SOA challenges received the highest importance scores: “Communicating SOA Vision”, “Focus on business perspective, and not only IT perspective” and “SOA Governance”. The highest scored SOA success factor is “Business Process of Company”. While comparing different samples of the survey results, the most obvious differences are identified between the results received from people with development related job positions and people with business related job positions, and the results from companies of different sizes.
    [Show full text]