Why Old IT Assets Create New Security ProblemsBy Samuel Greengard | Posted 07-05-2016
If the daily drumbeat of hacks and cyber-attacks accomplish one thing, it's raising everyone's anxiety level about cyber-criminals. Although outside risk is a major cause for concern, much of the potential danger resides within an organization—and this extends beyond insiders who wittingly or unwittingly breach protocols and systems.
The culprit? Out-of-date and non-compliant software and hardware assets. This leaves the enterprise door wide open for outside and insider breaches, which take advantage of known flaws in software and assets. The root of the problem? Because legacy software and hardware are no longer supported by a vendor, patches and fixes aren't available—or aren't easily fixed.
BDNA's quarterly State of the Enterprise Report places a spotlight on the issue. It found that old IT assets are a major and often overlooked source of enterprise cyber-security vulnerabilities. Without processes in place to identify and remediate these "end-of-life" (EOL) assets, organizations expose themselves to cyber-criminals eager to exploit these unprotected flaws.
Unfortunately, the issue flies below the radar of most CIOs, CSOs and CISOs. Consider:
*Between 30 and 50 percent of hardware and software assets installed in the average large enterprise are past their EOL date.
*Less than one-quarter of organizations can easily access and use data to assess risk.
*Most enterprises take more than a year to eliminate a known vulnerability.
A separate 2016 Ventana Research report, Establishing Cybersecurity Intelligence: Identifying Risk and Vulnerability in IT Assets, found that less than one-quarter (24 percent) of organizations say it is "easy" or "very easy" to access and use data to measure and assess risk. Depending on the size of the organization, there could be thousands of separate software titles installed at any one time, with versions labeled numerous ways.
"Failing to have complete visibility of all IT assets and their associated attributes poses a significant risk for large enterprises in both the private and public sectors," said Walker White, president of BDNA.
How can a CIO, CSO or other enterprise leader gain control of the situation? It's wise to focus on four key steps:
*Acquire a comprehensive catalog of third-party products with details about vendors, products, release dates and other details.
*Match your organization's tech asset inventory with the catalog to identify potential vulnerabilities.
*Compare your inventory and catalog with vendor-supplied version information to identify outdated hardware and software that represents a real-world risk.
*Take action on any vulnerabilities immediately so that they don't become actual breaches.
"Although there are many tools available to identify and remediate such risks, awareness of this issue has not yet caught up to the potential liabilities," White noted.