Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

State and Local Government Grapples with Legacy IT

With many states relying on IT systems that are 20 years old or more, government agencies are challenged to secure legacy technology that is no longer supported and often hidden from view.

For the services that directly affect people’s daily lives, citizens rely on their state and local governments. From public safety and trash pickup to highway maintenance and education, state and local governments make our communities livable.

Often, however, the agencies providing these services are relying on outdated IT systems. They are struggling to maintain and secure technology that no longer is supported, is poorly documented and often is not inventoried. As every IT administrator should know, you can’t manage what you can’t see.

The challenge

Of course the ideal solution is to upgrade systems to modern technology supported by vendors. But funding is a major hurdle for this. State and local governments as a rule must maintain balanced budgets, and even in the best of times money is doled out conservatively. Since the economic downturn, budgets are even tighter.

At the same time, administrators are reluctant to take down systems for maintenance that are doing their jobs—in some cases, for decades. The result is a hidden and often unsupported shadow infrastructure.

While IT refresh cycles in the private sector typically are in the three-to-five-year range, the age of many state systems is measured in decades.

While IT refresh cycles in the private sector typically are in the three-to-five-year range, the age of many state systems is measured in decades. Consider these figures:

  • A 2012 survey by the National Association of State Workforce Agencies found that the majority of IT systems supporting unemployment insurance (UI) programs are old and based on outmoded programming languages. “States developed systems for UI operations generally in the 1970s and 1980s, and many are using the same ‘legacy’ mainframe technology based systems today.” The average age was 22 years, the oldest 42.
  • An analysis of 200 IT systems for the state of Colorado found that 77 were more than 15 years old and half were at least 10 years old.
  • A 2014 study of legacy systems conducted by the Texas Department of Information Resources found that in 100,000 instances of software supporting 4,130 business applications, 61 percent were classified as legacy—that is, obsolete or inefficient.

Some of these findings are several years old, but given recent financial conditions it is unlikely that the situation has improved. The challenges of maintaining such environments are compounded by the loss of institutional knowledge as veteran personnel who know these systems retire.

Threats

As key personnel move on to other jobs or retire, institutional knowledge of these legacy systems goes with them. The pool of talent available to maintain and protect them shrinks and systems fall further out of date. Many systems are no longer supported by vendors, and some vendors go out of business. Critical updates are not available, vulnerabilities are not patched, and older systems often are not interoperable with more modern platforms.

As key personnel move on to other jobs or retire, institutional knowledge of these legacy systems goes with them.

Some may say that IT systems so out-of-date are undetectable and are unlikely targets for malicious activity. But “security by obscurity” is not good cybersecurity policy. Systems that are out of compliance with sound policy pose a risk to the entire enterprise.

Help is available

“Security by obscurity” is not good cybersecurity policy

Tenable SecurityCenter CV™ has several capabilities that can help with finding and monitoring legacy systems on your network.

The Passive Vulnerability Scanner™ (PVS) detects both primary applications and the secondary applications running with them to enable discovery of internal apps that are not updated. PVS sensors positioned to see traffic in the internal network can provide a way to locate systems that are connected to the network only occasionally.

Nessus® plugin 11936 is a discovery scan that, when used with credentials, can help identify operating systems connected to the network. Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name and sometimes the version of the remote operating system.

Discovering unknown assets and shadow IT with these and other capabilities in SecurityCenter CV is an important first step to bringing these assets into your security program so they aren't a security risk to your organization.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training