Retro Risk Appetite
August 27, 2019
Most people love nostalgia. We like retro! I was a little surprised when I first saw bell-bottom pants make a comeback, but I get it. Please, though, no leisure suits.
For some things retro is fine. However, when it comes to cybersecurity, it’s not a great idea to hang on to legacy solutions, even if they just “work”, are oh-oh-so-familiar and don’t cost additional budget or resources to manage. Yet sometimes our fondness lingers – until there’s a breach.
That’s when retro can turn sinister. Organizations must take accepted risk seriously and manage it intentionally and strategically – and part of that is removing the familiar aka, legacy tools.
Legacy software is a risk that many organizations choose to accept, as we saw with the disastrous global WannaCry incident of 2017.
Windows XP software support was officially over as of April 8, 2014, after more than 12 years of development. Three years later WannaCry, a ransomware attack, emerged in the wild, exploitating Windows operating systems. The exploit used in the attack was EternalBlue, which was developed (ironically) by the NSA, then stolen and leaked by The Shadow Brokers a few months prior to the attack.
XP was just one of the versions of Windows that was affected, but this was three years after the company had officially ended support for the OS. Other older operating systems were also impacted by WannaCry, including (but not limited to) Windows 7 and Windows Vista.
Prior to retiring Windows XP, Microsoft gave plenty of warning so organizations could plan for licensing, budget and upgrades to newer operating systems if they hadn’t already done so.
Many organizations didn’t update their operating systems, even after support ended. This means additional vulnerabilities undiscovered at the time of XP’s retirement still existed, with no patches available, forevermore. In other words, any software – especially that associated with an OS in production – is increasingly vulnerable because fraudsters have additional time to uncover additional exploits and attack vectors against the unsupported system.
Accepting the risk of unpatched software is beyond dangerous in the war zone that is today’s cyber risk landscape. Fraudsters never stop innovating ways of exploiting software vulnerabilities and we routinely see advanced offensive tactics that didn’t exist in the wild just ten years ago – or ten months.
Threat actors live for outdated and under-protected systems. For instance, just after the turn of the century the Russians called Java the “Holy Grail” of hacking opportunity because of the sheer number of vulnerable software versions deployed on critical assets that were easily compromised.
Legacy hardware isn’t hard to find – even in organizations that ought to know better. Think about ancient technologies like 2400 BPS rate modems (yes, 2400 baud) and phased radar arrays in Pave Paws. In the case of Pave Paws there’s actually a benefit in that older equipment often doesn’t have the same interdependencies and vulnerabilities as modern tech. As a result, security through obscurity can be effective for this system originally designed in the 1960s. The same is true for the U2 spy plane’s analog clock – it just works, so don’t “fix it” with a digital upgrade that might fail or be vulnerable to attack.
When organizations choose to not upgrade hardware, they accept risk – and it’s sometimes substantial. There are still organizations today using firewalls from more than a decade or two ago. Older hardware solutions may still work at what they were designed for, but don’t include newer features that address current threats and security requirements. Over time it can be like hunting with a slingshot instead of a gun. One may work, but the other is much more effective.
Socializing Accepted Risk
Risk managers must socialize accepted risk with both technical and non-technical staff to bridge the gap between operational and strategic stakeholders. Choosing to use legacy software introduces risk, over time, that may lead to exploitation and/or compromise of an entire organization’s network and related cyber assets. Choosing to use legacy hardware likely includes a risk where more modern features and capabilities aren’t possible, such as deep packet inspection with a next generation firewall compared to that of a first-generation firewall. Both types of accepted risk put an organization at risk for cyber attack. How does a manager successfully socialize this risk with stakeholders in the organization? Recognize that identification of risk is only the beginning of your journey as a risk manager. Effective communication and cultural change are required to properly address risk that exists for an organization.
We recommend prioritizing what and how you communicate so as to be most effective. Start off small and work your way up as you establish relationships and promote cultural change. If you try to boil the ocean in a day you’ll not only fail, you’ll frustrate and/or alienate your stakeholders, further hampering future efforts to socialize alignment.
Set realistic expectations and manage towards measurable outcomes. For example, if you prioritized speed and effectiveness in incident response to lower risk when you do have an incident, how is that measured, exactly? How do you plan to improve your outcomes? By being priority-driven in your approach, focused on measured outcomes and timelines, you’re more likely to be successful. And success builds teaming and confidence in your leadership as you work to lower risk. Over time these efforts and successes change the culture and enhance your credibility with other stakeholders.
Risk managers also need to take time to boost the team. With each milestone that’s met, and especially those surrounding primary outcomes, be sure to celebrate both small and large wins. Then leverage your motivated staff to help you establish a roadmap towards future success and additional risk reduction, minimizing accepted risk.
Accepted risk is all too often the result of a failure to prioritize around managing risk. It’s easy to say “we don’t have a problem” because you haven’t experienced a breach – yet. It’s all too easy to say “we don’t want to spend $50,000 upgrading that server,” but what about later when, due to a breach of the server that stores the crown jewels, it costs you $1M in incident response, public disclosures and loss of business?
Proactive risk managers are diligent in tracking and reporting not only on consumable metrics for their own organizations but also those of their sector. They pay careful to attention to world events, as well, with an eye toward how their businesses are implicated. If you’re in banking, for instance, and you learn of a breach with another bank, take time to understand what happened and why, the accepted risk involved and the lessons learned, then inform your organization. Most importantly, correlate accepted risk and lessons learned from your competitor to your organization, helping stakeholders understand what it means to them. They don’t want to be next, after all, and helping them succeed is your greatest responsibility.
Cultural change is hard. Helping people to proactively prioritize risk, budget and resources toward a hardened defense is also very challenging. Implementing and operating according to a strategic approach helps every risk manager be effective in mitigation of accepted risk – and this simply must include a plan for legacy software and hardware phase-out, and lessen retro risk.