According to the U.S. Government Accounting Office, the state department has 23,689 hardware systems and 3,102 network installations reaching end-of-life. Across the pond, the UK government recently found that its organizations have more than 43 legacy IT systems at critical risk level, including 11 within the Ministry of Defence.

Legacy systems are almost unavoidable within critical national infrastructure (CNI). This can lead to an unacceptable level of risk, especially for data-sensitive organizations. Without the ability to patch, update and replace at least some of its legacy infrastructure, many public sector security teams are left with an incredibly complex combination of legacy and modern systems to secure and maintain. With big-game status among cybercriminals, these organizations present high-value, low-resistance targets.

The Goldmine

Legacy systems are particularly attractive targets because outdated components often mean that vulnerabilities remain unpatched, offering exploitable footholds for bad actors. At the UK’s first AI Safety Summit last year, the Labour Party pointed out that almost 12,000 NHS computers were still running on the Windows 7 operating system. Windows 7 reached “end of life” in 2020, but these computers are now inevitably host to a multitude of unpatched vulnerabilities.

This is a big problem, especially when we factor in the disruption potential of an attack on critical infrastructure. CNI organizations have very low thresholds for downtime, as the Colonial Pipeline attack demonstrated in 2021. One improperly patched legacy VPN system gave threat actors access to a major oil pipeline, triggering the largest publicly disclosed CNI attack in the U.S. and leading to shortages of gas and food, major transportation disruption, and panic across the entire East Coast. Ransomware actors know that when the potential damage of the attack is so severe, they can easily extort their victims.

Getting Security Priorities Straight

Patching is a challenge for almost every organization. Only 11% of security leaders believe they patch vulnerabilities effectively on time.

When patching becomes too time-intensive, prioritization becomes even more important. Patching delays are inevitable, driven by a lack of time or resources to deal with the growing rate of new vulnerabilities. For teams with limited personnel or a complex architecture, these delays are heightened, and prioritization becomes even more critical. Legacy systems can have hundreds of high-risk vulnerabilities, but ultimately some are more important than others. While scoring systems like CVSS are helpful from a broad perspective, every company is different.

Severity is only one measure of vulnerabilities, and potential access can be a helpful second insight. Less than 4% of all known vulnerabilities were exploited by attackers in the wild. How can organizations get to those that are being exploited first? Tracking for known exploited vulnerabilities (KEV) significance can highlight which CVEs are being used to compromise systems in the real world.

Organizations should also consider implementing a risk mitigation plan for critical and high-severity vulnerability alerts. Automating repetitive tasks can help security teams respond more efficiently during an incident. This allows organizations to mitigate the operational threats of new vulnerabilities whilst improving patching hygiene. By setting up sandbox environments to test and implement patches before they are sent out to all workstations, teams can also ensure minimal disruptions to the system.

But the unfortunate reality is that some patches are either deprioritized or simply impossible. When systems are nearing end-of-life, developers may simply stop releasing new updates. Other times, the updates are so difficult to implement that they’re not worth the trouble. When systems are essential to day-to-day function, those difficult or potentially disruptive updates may prompt organizations to just accept the risk, opening themselves up to potential critical danger rather than using finite resources to invest in “better” security. In a tightening macroeconomy, this pressure cannot be understated.

Detection is the Only Way Forward

When reactive tactics fail, proactive methods such as detection and education become critical. Scanning the IT environment regularly is key to ensuring prioritization is as informed as possible.

This scanning frequency can vary. It might happen anytime changes are made to the code, during big pushes, or even daily. However, detection should always be done by trained developers who can adequately sniff out any vulnerable code and have the knowledge to remediate any risks found quickly. With new technologies and vulnerabilities appearing daily, continuous education programs must prioritize code security for security teams and developers. This two-pronged approach will allow organizations to respond to vulnerabilities and ensure that new software is built securely.

Although it may be too late for legacy systems nearing end-of-life, it is not too late for software vendors to change the trajectory of the software security landscape. The ongoing patching crisis is not just the responsibility of organizations themselves; it is the result of a software industry that is too comfortable with releasing insecure applications. With just 20% of organizations confident in their ability to detect and remediate vulnerabilities in production and only 50% of organizations testing their applications after release, bad actors are presented with countless footholds into user networks.

Placing the burden of security on software consumers with endless patches doesn’t work. Regulators, industry bodies and the computer industry must demand more from software and development teams. Software vendors should train their developers from the outset to prioritize code security and remediate vulnerabilities in production. While organizations turn to application security tools and AI to secure their outputs and support with patching, these tools only act as a safety net for the errors that were allowed to slip through the gaps. Knowledgeable human intervention is needed to prevent and remediate insecure code. Organizations need to prioritize education programs that are expertly curated, tailored to roles, and continuously reinforced to ensure knowledge retention.

If we don’t want to end up with another generation of insecure legacy systems within our most critical organizations, upskilling all developers with secure coding knowledge should be non-negotiable.