Isolation of Legacy Systems a View on Security Concerns for Non-Isolated Legacy Systems

Isolation of Legacy Systems A View on Security Concerns for Non-Isolated Legacy Systems

Autors Christoph Falta and Christoph Mahrl Version 1.0 Date 05. November 2015

1. Introduction

Legacy systems, a term for out-of-date methods, technologies, computer systems or applications, are considered problematic as continued use of such systems often imply security relevant issues and might therefore impact enterprise operations.

Nevertheless there are possibly compelling reasons for keeping a legacy system that have to be taken into account. These include:

 Costs of migration and redesign of new system  High availability requirements of legacy systems  Lack of understanding and documentation of the old system to redesign a new one  Lack of vendor support to migrate the legacy system to a new platform  Stability concerns of a new system  The legacy system already runs satisfactorily

Generally the use of legacy systems is potentially dangerous. Older operating systems or applications may contain vulnerabilities, since the lack of proper security patches being available or applied is putting these systems at risk of being compromised.

Enterprises should always take this riskiness into account as cyber-crime is an increasingly and ongoing topic confirmed by the following surveys and reports:

 In 2014 T-Systems1 reported that about 92% of enterprises in Austria expected cyber- crime incidents, 14% reported about daily attacks.  According to PWC2 about 90% of large organizations had suffered a security breach in 2015, while nearly three quarters of small organizations reported a security breach.  A survey of BITKOM 3 stated, that over 50% of German companies fell victim to espionage, sabotage or data theft attacks in 2015.  Kaspersky4 reported in 2014 that 94% of companies encountered an external security incident over the last 12 months and 87% had to deal with an internal security issue.

This whitepaper therefore discusses proactive and reactive security measures that can be implemented in order to mitigate risks exposed by legacy systems. It is intended for organizations where immediate migration is not an option

1 Cyber-Security Report 2014, T-Systems, 2014

2 Information Security Breaches Survey, PWC, 2015

3 Digitale Wirtschaftsspionage, Sabotage und Datendiebstahl 2015, BITKOM, 2015

4 IT Security Risks Survey 2014, Kaspersky, 2014

2. Management Summary

This whitepaper discusses proactive and reactive security measures that can be implemented in order to mitigate risks exposed by legacy systems. It is intended for organizations where immediate migration is not an option, therefore, the discussed techniques aim at providing secure and cost-efficient countermeasures.

In general, two kinds of countermeasures are discussed in this whitepaper: proactive and reactive. Proactive security measures are designed to harden a legacy system against attacks in order to either reduce the impact of a successful attack or prevent the attack at all. Reactive security measures provide the necessary tools to correctly detect, respond and recover from an attack in an efficient and coordinated way.

Figure 1 – Proactive and reactive countermeasures

The protection of legacy systems is a challenging process and it is inevitable to address it as a continuous process and not as a task or a project that has a fixed end date. Therefore it is of essence to not only implement technical countermeasures but also to put in place a vulnerability management process that tightly integrates with existing risk assessment strategies and allows to continuously monitor existing legacy systems and quickly adapt in case of new threats.

When designing countermeasures and overall security strategies for legacy systems, new vulnerabilities continuously arise. Preparation for change, is a key component to success.

3. Proactive Security

The value of a proactive approach to prevent malware and other types of attacks before actual expensive damage will occur is indispensable for organizations. Security does not begin with the detection of an attacker inside the network, which does not mean that reactive measures are unnecessary. But in order to avoid compromising in advance, a proactive scheme will play a critical role for good organization’s cyber defense.

3.1 Secure Network Engineering

Minimizing opportunities for attackers begins with properly securing the network environment. A key component in secure network engineering is the physical and / or logical separation of IT-systems in different network zones, each with its certain kind of purpose. On this basis, network traffic is filtered between these segments and boundary defense solutions like firewalls and proxies ensure a controlled network flow through network borders and segments, only allowing specific traffic based on the “Least- Privilege” principle.

3.1.1 Network Segmentation An elaborate design and implementation of a network where the network environment is separated in different zones, each meeting certain security requirements, is very important. A minimum of a three-tier architecture is recommended (DMZ, middleware and private network), to have a more granular control of system access and additional boundary defenses.

The general purpose of network segmentation using dedicated zones, each may consisting of one or more network segments, is to control what systems and services should be reachable depending on the segment you are in. This ensures that if a system is compromised an attacker is restricted to the policy that is applied to the part of network the system belongs to. Examples of zones usually deployed are:

 Public domain and guest zone  External server zone / Demilitarized zone (DMZ)  Internal server zone  Internal client zone  Internal system management zone

In order to sustain network security an adequate segmentation on all relevant layers of the OSI model is necessary. Network security measures are applied on OSI layers 1 to 4, since security of layers 5 to 7 is application-dependent. On different OSI layers, different kind of segmentation techniques are applied:

 Physical Layer On layer 1 network access is physically separated by using dedicated hardware such as switches, access points, etc. and it is recommended if possible and economically feasible to isolate critical services from each other.

 Data Link Layer On layer 2 logical separation of a physical network in different VLANs takes place. Each network segment will be assigned a dedicated VLAN to ensure proper separation of responsibilities.

 Network Layer and Transport Layer On layer 3 and 4 network traffic is filtered between zones and different networks by using various types of boundary defense appliances (see 3.1.2 Boundary Defense).

3.1.2 Boundary Defense Systems that are reachable across the Internet are at risk, as attackers use these systems as primary targets to get initial access into an organization. This includes DMZ systems, workstations, laptop computers etc. that interact with other systems in the Internet through network boundaries.

Weaknesses in configuration and / or architectural implementation of perimeter appliances and network devices are the most common reason how attackers gain access into an organization. Once attackers has these systems at their command, they often manage to extend their access inside the target network. Eventually attackers will steal or change information and / or prepare a persistent presence for later attacks, in the worst case without anyone knowing for months or years.

To reduce the chance of a successful attack the flow of traffic through network boundaries has to be controlled thoroughly looking for restricted and suspicious traffic, such as botnet communication, internal attacks or evidence of compromised machines. It is recommended to implement boundary defense at multiple layers within the network, relying on firewalls, proxies and network-based IDS/IPS to filter inbound and outbound traffic:

 Boundary defense o Boundary defense appliances should not only defend an organization’s perimeter but all network segments including internal boundaries like . external / internal server zones . client zones  Firewall o Firewalls ensure that only explicitly allowed traffic (according to the “Least-Privilege”-Principle) to systems, services or ports are allowed. o Not explicitly allowed traffic should be denied per default. o Network flow is further minimized by using blacklists containing malicious IP addresses that are filtered throughout the corporate network.  Application Firewall o In front of every critical server a dedicated application firewall is recommended as it additionally validates and verifies traffic from and to the server filtering non-authorized traffic.  Proxy o The communication between DMZ systems and private networks should occur over application proxies to prevent direct access to internal networks and mitigate security risks.

 IDS/IPS o Malicious activities and intrusive network behavior is detected and filtered by network-based IDS/IPS and is highly recommended in order to contain potential damage. o Breach Detection Systems (BDS), incorporating IDS/IPS technology, could be used instead to not only check if traffic but also if transported files and executables are malicious (see chapter 3.3 Breach Detection and Prevention).

3.2 System Hardening

Hardening is one of the most important aspects of system security, since it offers a very flexible approach that can help to prevent or slow down various attack vectors. However, due to its complex and time-consuming nature, hardening is typically neglected.

In terms of legacy systems security, hardening is again a very important aspect of the overall isolation strategy. By definition, a legacy system will face numerous vulnerabilities that cannot be easily mitigated, due to the lack of software updates or general vendor support. Therefore reducing the attack surface and the chance of successful exploitation is a key component of mitigating the continuously growing risk of running a legacy system.

3.2.1 Adhering to Security Principles The most important principle in terms of System Hardening is the so called “Least- Privilege” principle. The principle of least privilege requires that a subject must be able to access only the information and resources that are necessary for its legitimate purpose. In practice, this means that a user account should only have the rights and privileges that are essential to complete his or her tasks. This includes, but is not limited to:

 Limit User Account Privileges o Distinguish different kinds of users that access the legacy system. Grant those user groups only the minimum amount of privileges necessary. . Refrain from granting standard users administrative privileges. o Distinguish different kinds of administrators that access the legacy system. . If there are different groups of System Administrators involved (e.g. Server Administrators, Database Administrators, Web Server Administrators…) make sure every group only has the minimum level of privileges assigned. . For example: Does the SQL Admin need to log on interactively to the system? Does the SQL Admin need to have administrative privileges on the operating system or are administrative privileges inside the database enough?  Limit Service Account Privileges o Do not, under any circumstances, use privileged accounts (e.g. “SYSTEM” or “root”) to run a service on the legacy system. Since you will not be able to patch software vulnerabilities, running a vulnerable service with high privileges is a tremendous risk.

 Strengthen Account Security o Implement a strong password policy to reduce the risk of accounts getting compromised through weak passwords. o Implement Multi-Factor Authentication if possible to further strengthen account security. o Regularly audit accounts to prevent password re-use across legacy and standard systems.

3.2.2 Attack Surface Reduction Reducing the number of potentially vulnerable interfaces (e.g. services, communication interfaces…) is important to reduce the likelihood of a successful exploitation. Typically this includes, but is not limited to:

 Operating System o On a Windows operating system, uninstall any features or server roles that are not necessary to run the system as intended. Use tools like the “Security Configuration Wizard” 5 to identify unnecessary services and create a reusable security configuration. o On a Linux/Unix operating system, uninstall all packages that are not necessary to run the system as intended. Use the built-in package management system (e.g. yum, apt…) to find dependencies and remove all unused software.  Application o Similar to the operating system, reduce the amount of logic (and in accordance, the amount of possible vulnerabilities) by uninstalling or disabling application components. o For example: If the legacy system runs an Apache webserver, disable every module that is not required to run the webserver.

3.2.3 Host-based Intrusion Detection A host-based intrusion detection system (HIDS) monitors various internals of an operating system, including configuration files, registry, running processes and more with the goal to detect suspicious behavior and alert accordingly.

A HIDS can be another vital part in the hardening process of a legacy system, since it helps to detect an attack attempt that is in progress or that has been already successful. Intrusion Detection Systems are currently undergoing a transformation process and may be incorporated in other technologies or solutions, as discussed in detail in chapter 3.3 Breach Detection and Prevention.

3.3 Breach Detection and Prevention

Breach detection is an integral part of cyber defense, especially if organizations still operate legacy systems that might be vulnerable because of missing security patches. In recent years intrusion detection systems, responsible for identifying malicious activities

5 https://technet.microsoft.com/en-us/library/cc754997.aspx

and attacks within the corporate network, have emerged to become next generation intrusion detection systems or breach detection systems, as NSS Labs defines them.

Breach detection systems (BDS) help secure enterprise networks by providing protection against malware and other type of attacks including advanced persistent threats and 0- day attacks. Using sensors, either dedicated or integrated into a single appliance, BDS products thoroughly monitor network traffic and apply content and flow analysis. Like traditional IDS/IPS systems, BDS products attempt to detect malicious activities like invoking known vulnerable websites or traffic coming from a compromised host acting as botnet client.

Additionally these systems deeply inspect network traffic to extract data such as files, mails and drive-by-downloads for further analysis. Typically a combination of signature- based and heuristics-based detection mechanisms are applied to identify malicious files. While signature-based mechanisms represent a quick reactive approach of malware identification, since it relies on the fact that a vendor has already examined the file and classified it as malicious, heuristics-based detection mechanism provide a dynamic proactive approach.

Heuristic methods include behavioral analysis, where potentially malicious files are executed and monitored within a controlled sandbox. If a file acts conspicuous it is probably classified as malware. File analysis is another heuristic method where an in- depth look is taken to examine the instructions of a file to assess whether it is malicious or not.

Good detection rates of malicious files and network traffic heavily rely on the engine as well as on threat intelligence data (e.g. file reputation, IP reputation, URL reputation, etc.) that is often obtained via vendor proprietary cloud. According to NSS Lab, BDS products provide at least one of the following capabilities:

 Signature-based and / or heuristics-based malware identification  Network traffic analysis  Sandboxing that allows for modeling internal systems, such as workstations and servers  Browser emulation  Domain reputation identification  Response mechanism e.g. alerting, session termination, etc.  Reporting on compromised hosts

It appears that breach detection systems (BDS), next generation firewalls (NGFW) and intrusion detection and prevention systems (IDS/IPS) will merge into unified threat management solutions in the near future. Many of the leading firewall appliance vendors have already integrated features that shall provide protection against TPAs and 0-day attacks. (E.g. Cisco, Checkpoint, Juniper…) However, since unified platforms might experience technology bloat, an organization should consider implementing dedicated solutions specializing in breach detection, such as:

 Lastline  FireEye

 Trend Micro Deep Discovery Inspector  Ahnlab MDS

3.4 System Virtualization

Organizations that need to preserve legacy IT systems should consider migrating these systems into a virtualized environment. This approach facilitates centralized management of all legacy systems on a single hypervisor and offers the opportunity to consolidate hardware and improve performance as well as security.

Virtualization improves security by allowing a more effective and efficient backup and recovery strategy. Images from virtual machines can easily be backed up or snapshotted, and eventually quickly recovered if needed. Furthermore virtualized legacy systems would further enhance security by running within an isolated virtualized sandbox.

Another problem of legacy systems can be the lack of support from anti-virus or endpoint protection solutions. Since legacy systems typically run old operating systems, today’s anti-malware solutions may not be able to provide the same functionality or run at all on this kind of systems. Hypervisor-based malware protection could mitigate these risks by thoroughly monitoring the virtualized system and interact if malicious activity is detected.

4. Reactive Security

When proactive security measures were not effective or simply did not exist, it is essential that organizations are prepared to initiate reactive actions and have a well-performing incident response process available. To promote effective cyber defense, a combination of both, proactive and reactive approaches, will be necessary to combat attacks and reduce the risks coming from legacy systems to an acceptable level.

4.1 Data Recovery

Data is very crucial to protect since it is what keeps the business running. Data loss can have significant impact on an enterprise due to costs, reputation and other key aspects. It is therefore of utmost importance to develop and conduct processes and use tools to properly back up critical information for timely recovery of it, whenever needed. Especially when an attack has occurred and systems and data have been compromised, it can be very difficult to remove all aspects of the attacker’s presence. A good backup and recovery strategy can protect against compromising but also against other scenarios, such as:

 Accidental / intentional loss or alteration of user data  Database failures  Hardware failures  Natural disasters …

When developing a backup and recovery plan many things have to be taken into account like what data actually needs to be backed up, how often and much more. A good backup and recovery plan should at least cover the following questions:

 How important is the data on your systems? o Determine which data is important to the enterprise and always consider individuals because data may not seem important to one person but might is to another. o Develop different backup plans e.g. critical data should be backed up redundantly whereas regular backup of unimportant data is sufficient.  How often does the data change? o Consider the frequency of data change, if data changes daily then daily backups should be scheduled.  How quickly do you need to recover the data? o Critical data may need to be recovered very quickly for which reason you might have to adapt the backup plan.  Do you have the equipment to perform backups? o In order to backup data, backup hardware and media have to be acquired such as . tape drives . magnetic optical drives . DAT drives …  Who will be responsible for the backup and recovery plan? o It is recommended to have a primary contact for the backup and recovery plan

o This person may also be responsible for actually performing backups and recoveries. o Whenever a backup is made, it should also be tested if it is actually working.  What is the best time to schedule backups? o Determine what the best time is to schedule backups of key data to avoid interruptions.  Do you need to store backups off-site? o Protection against natural disasters is ensured by storing redundant backups off-site. o It should also be considered to include copies of the software at the off-site storage location that might be necessary for recovery of the backup.

Data backup and recovery is a comprehensive task combining organizational and technical processes to ensure protection against data loss. Virtualization (See chapter 3.4 System Virtualization) can speed up these processes, especially when performing recoveries, however good backup and recovery strategies are still inevitable in order to sustain enterprise operation in case of failure.

4.2 Continuous Monitoring and Event Correlation

Insufficient security logging and analysis allow attackers to hide their presence including their physical location, malicious software and activities on compromised machines. If enterprises do not provide for protected and complete logging records, details of the attack and actions of the attacker are simply missing, the only evidence of a successful attack. Attackers may also exploit the fact that organizations conduct a poor log analysis process or it is even non-existing, giving attackers control over victim machines over months or years without anyone knowing.

Therefore security logging and analysis is a fundamental technical as well as organizational process that heavily impacts overall security. Especially if organizations operate legacy systems it is very important to continuously monitor these systems and correlate security events to quickly respond to security incidents.

Organizations should consider the following for effective and efficient logging and monitoring:

 Security personnel o Security personnel is responsible for running reports on a regular basis that identify anomalies in logs. These should be actively reviewed and documented to properly respond to an incident.  Log analysis o Deployment of a SIEM (Security Incident and Event Management) tool that allows log aggregation and consolidation for deep log analysis. It correlates security events and reports on potentially malicious activity.  Log policy o Development of comprehensive logging policies to ensure monitoring of security relevant events of corporate machines, each written to dedicated logging servers. Additionally a log retention policy should make sure that logs are kept long enough in case they are needed at a later time. Digitally

signing and archiving on a regular basis reduces the chance of manipulation.  Log settings o Validation of audit log settings for hardware and software assets, ensuring that logs include a useful and standardized format such as syslog entries.

4.3 Incident Response Management

When an attack occurs an incident response management process is needed to quickly respond to the incident. If such a process is poorly conducted or even non-existing, it will be too late to develop the right procedures and organized approach in order to address and manage security breaches or attacks. The question of a successful cyber-attack against an enterprise is not “if” but “when”. Proper incident response management can limit damage, reduce recovery time, save costs as well as protect enterprise reputation.

An incident response infrastructure is needed to speed up discovery of attacks and effectively respond to incidents to contain damage. This implies to develop a comprehensive incident response plan including a policy statement that defines terms, roles and responsibilities and provides step-by-step instructions that should be followed when an incident occurs.

According to SANS institute there are six steps to effectively handle incidents:

Figure 2 - Incident Response Process

1. Preparation This step is crucial to ensure response actions are known and coordinated by developing a formal incident response infrastructure.

2. Identification In the second step identification of incidents and escalation of the incidents to the appropriate individuals takes place. Various security mechanism (e.g. SIEM …) will support security staff to identify them.

3. Containment In phase 3 incidents are examined and assessed to determine how far the problem has spread and to prepare a proper response. Its main goal is to stop the attacker, contain the damage and gain control of victim machines again.

4. Eradication The root cause of the incident is investigated to understand the attack vector in order to subsequently remove it and cleanup any signs left over from the attack.

5. Recovery In the recovery phase machines are remediated (e.g. image restore …) and put back into production to return to normal operational status. These machines are periodically monitored to ensure the system has been remediated entirely.

6. Lessons learned Lastly the whole incident response process is reviewed using all acquired information of the specific incident. The goal is to identify what went wrong and what worked well to continuously improve the process.

4.4 Continuous Risk Evaluation and Assessment

A structured and well-planed risk assessment process is a key component of every information security program. This is especially true when it comes to legacy systems, since these systems face a continuously changing risk level. Due to the fact, that software updates and bug fixes are usually unavailable for out-of-date legacy systems, there is an ongoing increase in potential security vulnerabilities as more new vulnerabilities get publicly known but existing vulnerabilities cannot be resolved.

Therefore it is of the essence to implement a vulnerability management process that tightly integrates with existing risk assessment strategies and allows to continuously monitor existing legacy systems and quickly adapt in case of new threats. To facility this, the following topics should be addressed:

 Implement a comprehensive vulnerability management process that encompasses all available legacy systems. If a vulnerability management already exists, make sure to take special care when integrating the legacy systems.  Implement the necessary controls to make sure that there are no blind spots in terms of legacy systems vulnerability management.  Run automated vulnerability scanning tools against all legacy systems at least weekly or more frequent. o Make sure to run the vulnerability scans in authenticated mode to also address configuration flaws and errors. o Use the output of the vulnerability scan as an input to the general risk assessment process. Make sure to address the riskiest issues first.  Continuously evaluate existing countermeasures in terms of effectiveness and risk reduction. If new vulnerabilities arise, make sure to adapt existing countermeasures or implement new ones.  Conduct regular security audits which include not only the evaluation of technical vulnerabilities, but also potential risks that arise from the integration of the legacy system with the existing infrastructure. (E.g. communication interfaces, network segmentation…)

The protection of legacy systems is a challenging process and it is inevitable to address it as a continuous process and not as a task or a project that eventually ends. When designing countermeasures and overall security strategies for these systems, it is important to be prepared for change.

5. Lifecycles of Operating Systems

The following two tables list the product lifecycles of client and server operating systems commonly used within enterprises. It gives an overview of which products already have reached end of life or will reach in the near future. Furthermore the latest version of each product is marked:

2000 - 2009 2010 -2019 2020 - 2029 Client systems 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 Windows XP Windows Vista Windows 7 Windows 8 / 8.1 Windows 10 Fedora 20 Fedora 21 Fedora 22 openSUSE 11.4 openSUSE 12.2 openSUSE 12.3 openSUSE 13.1 openSUSE 13.2 Ubuntu 12.04 Ubuntu 12.10 Ubuntu 13.04 Ubuntu 13.10 Ubuntu 14.04 Ubuntu 14.10 Ubuntu 15.04

Table 1 - Lifecycles of client operating systems

2000 - 2009 2010 -2019 2020 - 2029 Server systems 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 Windows Server 2003 Windows Server 2008 Windows Server 2012 RHEL 4 RHEL 5 RHEL 6 RHEL 7 SLES 9 SLES 10 SLES 11 SLES 12 Ubuntu Server 12.04 Ubuntu Server 12.10 Ubuntu Server 13.04 Ubuntu Server 13.10 Ubuntu Server 14.04 Ubuntu Server 14.10 Ubuntu Server 15.04 Debian 5 Debian 6 Debian 7 Debian 8 CentOS 4 CentOS 5 CentOS 6 CentOS 7 Solaris 9 Solaris 10 Solaris 11 FreeBSD 8 FreeBSD 9 FreeBSD 10

Table 2 - Lifecycles of server operating systems

6. References

Microsoft Corp. (n.d.). Data Backup and Recovery. Retrieved from Microsoft Developer Network: https://msdn.microsoft.com/en-us/library/bb727010.aspx

Pirc, J. W. (n.d.). Breach Detection Systems (BDS): Is this the Answer fo Zero-Day Malware? Retrieved from NSS Labs: https://www.nsslabs.com/blog/breach-detection- systems-bds-answer-zero-day-malware

Pokladnik, M. (2007). An Incident Handling Process for Small and Medium. SANS-Institute.

SANS-Institute. (n.d.). The Critical Security Controls for Effective Cyber Defense Version 5.0.