How to secure legacy systems and protect against IoT attacks

Andrew Bushby, UK director at Fidelis Cybersecurity, explains to Information Age how businesses can transform their security practices.

Enterprises are increasingly adopting business transformation strategies where people, processes and technologies are aligned with the business vision to better serve customers and increase revenue.

According to the recent IDG 2018 Digital Transformation whitepaper, traditional enterprises are more hesitant to embrace business transformation when compared to start-ups. Indeed, 55 percent of start-ups have already adopted a digital business strategy, compared to just 38% of traditional enterprises. So, what is holding them back, and what impact does security have on business transformation?

Legacy IT infrastructure

Since traditional enterprises are more likely to rely on legacy infrastructure that can be decades old and often beyond compliance regulations, which means it is either too expensive or not technologically compatible to update or augment. In comparison, start-ups may look to drive towards improved customer experiences through agile mobile and cloud-based applications.

>See also: Business data security: how to keeping your data safe and secure

The very recent attacks we have seen to out of support router infrastructure is a clear example of this. Organisations wish to sweat their assets beyond end of life and therefore are exposed to security holes that are no longer being corrected. Protecting legacy infrastructure against such attacks should be top of mind for companies heading towards a business transformation.

The enterprise Internet of Things (IoT) threat

There is also the threat of enterprise IoT threats on devices such as printers, cameras and smart lighting. According to IDG, 61% of enterprises believe IoT will play an increasing role in their digital business strategy. Given that IoT devices connected to standard PC platforms are often the foothold in most attacks – such as the Stuxnet attack that compromised programmable logic controllers (PLC) connected to a PC – more connected devices included as a result of the business transformation will mean more opportunity for attacks against these devices. Enterprise IoT devices should not be exposed to the internet or be enabled on networks with end user PC platforms. Indeed, many IoT devices run the Busybox operating system, which is still maturing for open vulnerabilities and security concerns.

Securing legacy systems

To protect legacy systems, companies need to have complete visibility into their environment and the facility to identify and analyse for open vulnerabilities. They need to be able to isolate these vulnerabilities within the networks and kept away from endpoints known to be the initiation point for most post-breach attacks. In addition, companies need to apply strict access control with privileged access entitlements, including no direct access to or from the internet. They should also harden these systems to remove unused services and implement least privileges; for example, disabling the SMB protocol. Next comes security monitoring, which often involves the establishment of baselines for legacy systems to detect suspicious events, abnormal authentication events, and unexpected configuration changes.

>See also: Why cloud computing is a secure option for small businesses

For some organisations, the steps above may or may not be possible for various reasons. However, knowing what attackers desire enables companies to take proactive defence to lure, detect, and defend legacy systems. One can only expect advanced attack methods developed by nation states to be adopted by cybercrime in forthcoming attacks. Multi-staged attacks with automation are starting to mirror penetration-testing efforts by embedding password-mining tools and scanning for open exploitable vulnerabilities. We also know that endpoints are the foothold for attacks while servers are the primary targets where most data can be breached. For these reasons, adding a deception layer to legacy system networks is very logical to provide attackers what they desire.

Deception defences include decoys and breadcrumbs, plus services such as SMB, SSH, FTP, RDP, TCP, UDP, and IMCP. A deception solution can automatically discover and map a network of legacy systems to then automatically create decoys and services for the environment.

Automated deployment of these decoys also includes breadcrumbs to make the deception layer deterministic leading attackers to decoys and diverting them away from legacy systems. Alerts from the deception layer come from using poisoned credential data, accessing decoys and services, network traps, or traps from enabled breadcrumbs.

>See also: Strong cyber security helps businesses to grow

Given some legacy systems cannot be updated, deception defences fit well into these environments as no agents are required. An added benefit of deception defences being agentless is they place no risk to legacy systems, data or processing steps, and decoys can represent desktop or server systems. Deception defences are effectively the invisible trigger and therefore have actionable alerts with very low false positives. The end result is providing what attackers desire to lure, detect, and defend with very little alert noise and it can take less than one-hour per day to monitor and maintain deception layers by a tier-1 security analyst.

Protecting against IoT attacks

Even away from the internet and end user systems, enterprise IoT devices – if accessed – are very likely open to attack or compromise. For this reason, providing attackers with what they desire is another opportunity for proactive defence to lure, detect and defend. IoT devices are not open to agents for direct prevention and detection defences and communications should be encrypted. As such, deception defences with decoys and services for IoT devices is a logical choice.

Capture the flag exercises with a variety of deception defence decoys and breadcrumbs also show that IoT devices are a low priority for post breach initial attacks. Human attackers prefer files, email and unstructured data, while automated malware prefers applications and web browser structured data. In both cases for man or machine, they initially seek credentials for expanded access and lateral movement, which may eventually lead to enterprise IoT devices.

>See also: The cloud security dilemma – secure or not secure?

Ready for the business transformation

The impact security has on the enterprise and business transformation is unquestionable. Security teams led by the CTO or CISO need to have efficient and effective process in place to secure the enterprise as it becomes open to new threats – such as the impact of new IoT devices running on the network – and, as its legacy IT systems become increasingly vulnerable. Using techniques such as deception will protect enterprises against such attacks, helping to reduce dwell time and will be critical to making sure customers are not only better served, but that they do not become collateral damage themselves.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...