Combatting the #Throwhack Threat: Why Legacy Issues Are Still Causing CISOs Problems

by Bharat Mistry

CISOs are regularly bombarded with breaking news on advanced nation state espionage campaigns and sophisticated cybercrime heists. From the ongoing machinations of the Kremlin-linked Pawn Storm group to the recently uncovered cyber-bank raid by the MoneyTaker gang, these threats tend to grab all the headlines. But IT security leaders will know that some of their biggest problems come from legacy threats: what we’re calling “Throwhacks”.

Unlike the popular social media trend “Throwback Thursday”, there’s nothing entertaining about this list of legacy security challenges. Organisations need to get a handle on these threats before they start worrying about hackers armed with advanced AI tools.

The legacy challenge
The Throwhack security challenge can manifest itself in multiple ways. The first is online threats still causing organisations problems despite being mitigated years ago. Take Conficker: the infamous worm was one of the most destructive pieces of malware ever created when it appeared back in 2008. But throughout 2017 we saw monthly detections of around 20,000; meaning it’s still highly active. Ditto: Heartbleed. Despite surfacing and being patched in 2014, nearly 200,000 servers and devices were reported as exposed last year.

The problems don’t end there. A common issue for many IT leaders, especially those operating industrial environments, is protecting legacy applications or systems that can’t be patched. Spiceworks has claimed that 68% of US, Canadian and US firms still run Office 2007, while it has also been reported that around 20% of US and UK healthcare organizations still run Windows XP. It doesn’t take much to understand the dangers of running unsupported systems.

The challenges extend to the burgeoning Internet of Things (IoT) space. Devices are being rushed to market with little thought for security — an approach which should have died out long ago. It’s a throwback to a more innocent time when security-by-obscurity still reigned and time-to-market was everything. As Mirai, Persirai, and other IoT threats have shown us, manufacturers simply can’t operate the same outdated approach to cybersecurity they once did, or we’ll all suffer.

Similarly, IT leaders can’t treat user awareness and security programmes as they once did. Today’s threat landscape is simply too broad and fast-moving — and the stakes for getting training wrong too high — to continue with legacy approaches. We need to shift to programmes based around changing user behaviours. This requires practical, real-world training for all staff to be held in short, easy-to-remember bursts at frequent intervals and tested regularly.

Overcoming the Throwhack threat
The good news is that there’s a lot organisations can do to mitigate the kind of Throwhack threats we’ve outlined above. It all starts with upgrading your operating systems to the newest version possible. The impact of not doing so could lead not only to data theft but serious and costly service outages, as witnessed by WannaCry. The fact that old malware exploiting a legacy vulnerability was still one of the top detections in 2017 is proof that not enough is being done in this regard.

If updating your OS is not possible, for whatever reason, use vulnerability shielding/virtual patching on the endpoint or intrusion prevention at the network level. It’s ideal for mitigating the impact of older malware like Conficker which exploits vulnerabilities. It protects legacy systems by providing convenient and automatic updates, allowing organisations to maintain protection while minimising their patch management costs.

Other best practice security advice to protect against the Throwhack threat includes:

  • Use strong passwords
  • Disable AutoRun where possible
  • Ensure shared folders are secured
  • Scan removable drives
  • Keep system patches up-to-date
  • Invest in AV from a reputable supplier — one that uses a number of different techniques (signatures, heuristics, machine learning etc)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.