Home / Resources / News and Trends / Newsletters / AtIsaca / 2019 / Volume 10 / The Backwaters of Technology

The Backwaters of Technology

Author: Bruce R Wilkins, CISA, CRISC, CISM, CGEIT, CISSP
Date Published: 15 May 2019

There are backwaters of your enterprise that have technologies that have fallen out of favor like broken toys that have been forgotten. This is troubling because these forgotten technologies can be a risk for the enterprise. I cannot tell you how many times I have performed forensic activities only to find a piece of networked IT that had been forgotten and left to decay into a state of disrepair. These technologies have been found in telephone closets, switch rooms, old computer rooms and sometimes even in an organization’s data center. How did these technologies become a threat to today’s operations? Many times, it is a result of moving forward at a pace where systems administrators miss removing part of a given function. This can lead to greater risk of insider threats if the remaining piece is forgotten. Other times, these threats materialize as a result of the hosted application server being reused without being properly cleaned. This can also allow internal and external threat actors to exploit the vulnerable server. There are many reasons for these situations; however, the result is always the same. Vulnerable technologies left in trusted areas of the infrastructure must be resolved.

I was once engaged by an organization to pinpoint why they were being attacked and resolve the issue. Because of the delays of contracting, my partners and I diagnosed their situation based on their description. The systems administrators countered our diagnosis and continued to try to resolve the issue on their own. Two weeks later, when they were in a panic and still being attacked, we were brought in under contract. It turned out that this organization had moved their enterprise mail to a cloud-based solution. As part of their migration to the cloud, they removed the on-premise email technology—or they thought they had. As we discovered, a system administrator had access and was attacking them. The system administrator had left the organization on questionable terms and was seeking retribution. The same system administrator had privilege and access to a component of the email infrastructure that had not been removed from the network. The same system administrator’s attack profile was based on trust relationships with the email components. Even though the email components on other hardware servers had been removed, the trust relationships still remained.

Working in this area of technology, I often ask myself, “Why do people not pay attention to the fundamentals?” This is not really a cybersecurity issue. Fundamentally, it is a failure in performing basic engineering constructs. The engineering discipline required to maintain hardware and software versions during development is the same discipline that needs to be applied to the technology when introduced into an enterprise. At its root, this problem resulted as a failure of the configuration management processes.

So, how can you stop attacks that are based on the disarray of the backwater of your enterprise? The key is to minimize or even eliminate decaying technology. Here are some recommendations for those enterprises that have been attacked under these conditions:

  • If you do not have automated configuration management of your enterprise at every server and network component level, implement it. The key here is, you must not only account for each component, but must also tie each of those components to a given functionality. This ensures that all the technology is accounted for and removed when eliminating a functionality.
  • Physically inspect telephone closets and wiring harnesses. This should provide some insight into how the enterprise is connected. In a geographically dispersed enterprise or a hybrid cloud implementation, this can be difficult.
  • Ensure 2-factor authentication is implemented for privileged users. Unfortunately, 2-factor authentication is often implemented for new technology but often forgotten on legacy systems. As privileged users turn over, returning the 2-factor device eliminates access by any ex-employees.
  • Self-inspect trusted relationships among servers. Trust relationships should be reviewed quarterly to ensure their relevance.
  • Refresh technology processes that include the necessary configuration management processes to ensure that the new technology is accounted for and the old technology is properly removed. This should occur at the hardware level and each level of the software stack on the servers.

These tips offer a path to end the suffering caused by the backwaters of technology. There are many other adjustments that you can make. Remember, never assume the fundamentals were followed; instead, trust but validate.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.