Many companies still utilise legacy systems and technologies due to their criticality in continued business function.
However when it comes to security, legacy systems can present an opportunity to adversaries looking to exploit weaknesses in security infrastructure.
This was the case with an engagement at a hospital that was using a legacy system as a ways of communication between personnel. Watch the video featuring Chris Carlis, Security Analysis Consultant, as he talks about his recent engagement and covers the dangers and lessons learned of using legacy systems.
I was doing a wireless penetration test at a hospital and I noticed they were using WEP which has been hard broken for over a decade. I thought it was kind of an odd choice to have running, I found out they were using it for communicators, they actually looked like the Star Trek communicators that were using the wireless network to let the hospital employees talk to one another and they were sort of legacy hardware and they couldn't run anything more secure than WEP. I thought OK, it's WEP, so we broke in and were able to get into the WEP network and found once we were able to get into the network that it was essentially connected to the entire internal network, so I was able to demonstrate for this client that someone out in the parking lot can access their internal systems with a minimal amount of effort. Even if you have legacy systems that require certain considerations to operate and something that is using something less secure because the vendor doesn't support it anymore but it's still critical to your business there are additional steps that you can take, the hospital could have segregated the wireless network from their internal LAN in a way that if I had gained access to the wireless network I couldn't have been able to get anywhere else. That's what they did moving forward.