With many states relying on IT systems that are 20 years old or more, government agencies are challenged to secure legacy technology that is no longer supported and often hidden from view.
For the services that directly affect people’s daily lives, citizens rely on their state and local governments. From public safety and trash pickup to highway maintenance and education, state and local governments make our communities livable.
Often, however, the agencies providing these services are relying on outdated IT systems. They are struggling to maintain and secure technology that no longer is supported, is poorly documented and often is not inventoried. As every IT administrator should know, you can’t manage what you can’t see.
Of course the ideal solution is to upgrade systems to modern technology supported by vendors. But funding is a major hurdle for this. State and local governments as a rule must maintain balanced budgets, and even in the best of times money is doled out conservatively. Since the economic downturn, budgets are even tighter.
At the same time, administrators are reluctant to take down systems for maintenance that are doing their jobs—in some cases, for decades. The result is a hidden and often unsupported shadow infrastructure.
While IT refresh cycles in the private sector typically are in the three-to-five-year range, the age of many state systems is measured in decades.
While IT refresh cycles in the private sector typically are in the three-to-five-year range, the age of many state systems is measured in decades. Consider these figures:
- A 2012 survey by the National Association of State Workforce Agencies found that the majority of IT systems supporting unemployment insurance (UI) programs are old and based on outmoded programming languages. “States developed systems for UI operations generally in the 1970s and 1980s, and many are using the same ‘legacy’ mainframe technology based systems today.” The average age was 22 years, the oldest 42.
- An analysis of 200 IT systems for the state of Colorado found that 77 were more than 15 years old and half were at least 10 years old.
- A 2014 study of legacy systems conducted by the Texas Department of Information Resources found that in 100,000 instances of software supporting 4,130 business applications, 61 percent were classified as legacy—that is, obsolete or inefficient.
Some of these findings are several years old, but given recent financial conditions it is unlikely that the situation has improved. The challenges of maintaining such environments are compounded by the loss of institutional knowledge as veteran personnel who know these systems retire.
As key personnel move on to other jobs or retire, institutional knowledge of these legacy systems goes with them. The pool of talent available to maintain and protect them shrinks and systems fall further out of date. Many systems are no longer supported by vendors, and some vendors go out of business. Critical updates are not available, vulnerabilities are not patched, and older systems often are not interoperable with more modern platforms.
As key personnel move on to other jobs or retire, institutional knowledge of these legacy systems goes with them.
Some may say that IT systems so out-of-date are undetectable and are unlikely targets for malicious activity. But “security by obscurity” is not good cybersecurity policy. Systems that are out of compliance with sound policy pose a risk to the entire enterprise.
Help is available
“Security by obscurity” is not good cybersecurity policy
Tenable SecurityCenter CV™ has several capabilities that can help with finding and monitoring legacy systems on your network.
The Passive Vulnerability Scanner™ (PVS) detects both primary applications and the secondary applications running with them to enable discovery of internal apps that are not updated. PVS sensors positioned to see traffic in the internal network can provide a way to locate systems that are connected to the network only occasionally.
Nessus® plugin 11936 is a discovery scan that, when used with credentials, can help identify operating systems connected to the network. Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name and sometimes the version of the remote operating system.
Discovering unknown assets and shadow IT with these and other capabilities in SecurityCenter CV is an important first step to bringing these assets into your security program so they aren't a security risk to your organization.