Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ECS > Lecture 8 - Legacy systems > Flashcards

Lecture 8 - Legacy systems Flashcards

1
Q

What is a legacy system?

A

Definition is subjective & there are many viewpoints.

“a system that was developed sometime in the past and is critical to the business in which the system operates. “ (RANSOM ET AL)

Could be a server, application etc

Typically, legacy systems were developed before the widespread use of modern software engineering methods and have been maintained to accommodate changing requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why are legacy systems important?

A

They contain business-critical information that represent considerable business knowledge & processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the challenges with legacy systems

A

The following make legacy systems susceptible to cyber security concerns:

  • unpatched software
  • outdated
  • difficult to understand (trained staff retired/poor documentation)
  • expensive to maintain
  • inefficent
  • Software typically poor & does not respond to change easily.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What dilemma do enterprises face with legacy systems (Alex Heid)

A

Critical to the performance of daily business operations (ie., in the banking industry/healthcare)

But they run on outdated software which poses a serious security threat to organisations.

Therefore, they need to be segregated from other public networks/devices to try and reduce this threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What dilemma do enterprises face with legacy systems

A

Need to weigh up the costs & benefits

Crucial to business processes, but are complex, poorly understood & require a significant investment to maintain & manage the systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a legacy system from the Mainframe Era?

A

SABRE (Semi-Automatic-Business-Research-Environment) by American Airlines & IBM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the strengths of legacy systems from the Mainframe Era?

A
  • They only used dumb terminals (no sophisticated processes/capabilities), so developers/architects were forced to restrict complexity to the mainframe and there was a limited user interface.
  • easier to secure because the attack surface

Although these strengths provided some relief, there are still problems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the concerns about legacy systems from the Mainframe Era?

A
  • Architects/systems/programmers/app developers did not consider cyber security concerns, the physcial connection (ie. wires) and building the system
  • They assumed everything was secure (no malicious insiders etc)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can you address issues with Mainframe legacy systems

A

Addressing cyber concerns with Mainframe legacy systems (IBA)

  1. Improve Access control logic in the operating system
    - Authentication is handled by the mainframe (rather than the dumb terminal)
    - No encryption, files can be accessed based on user id, serious risk if maintained by a malicious insider
  2. Be prepared for unexpected input validation
    - Design decisions from years ago mean that there are no built in any input validation checks (eg., SQL injection!)
    - Extreme, expected & unexpected cases must be handled properly.
  3. Add a screen scrapper
    - Provide Internet access to legacy applications without making any changes to the underlying platform.
    - Can be delivered fast because its non-intrusive.
    - But there are scalability issues (compared to modern systems) & might make the system more vulnerable by adding an additional attack layer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain the SABRE system.

A

Semi-Automatic-Business-Research-Environment.

  • Airline Reservation system IBM & American Airlines
  • (SAGE) which was originally designed to defend against Soviet attacks was used to reserve seats.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain legacy systems from the Client-Server Era?

A
  • Clients are sophisticated & support more functionality between elements.
  • Encryption is possible on the client (affords more secure communication between client & service)
  • More done on the client itself, reducing the demands on the network.
  • Insecure communication* p1 sends message to p2 but p3 (a malicious outsider observes in the cloud), BUT if it is pushed through an encryption function over cyber space they will only be able to see gibberish, so p2 will need to push it through the decryption function to consume it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the concerns with legacy systems in the client-server era?

A
  • Complex
  • Expensive to maintain.
  • Ideally, attack should gain no real insight by gaining access to a client.
  • Poor visibility of what is happening on the client side
  • Network-level connection
  • Gain access beyond the perimeter of the enterprise
  • Clients shouldn’t contain sensitive/specialised data (for any long period of time)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe how attackers can get access to client software during the client-server era?

A

Clients not up to date with the most recent software increases vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain a legacy system from the Networked Era?

A
  • Focus on logical isolation (physical constraints limited)
  • Attackers use an anonymous proxy so they can use the system uninterrupted.
  • Inputs must be validated to reduce the likelikhood of SQL injection & other suck attacks.
  • Vulnerabilities depend on the implementation of the server-side technology (ie. Framework or bespoke)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why is SABRE a good example of an evolving legacy system?

A
  • Prioritized seat availability, but over time more people wanted to fly & want to choose aspects such as meal upgrades etc. and it became very slow.
  • Sold-off legacy assets for $778 million so important
  • Cyber security is not the primary concern, it is rebel business units loosing indepedence.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the process of evolving legacy systems?

A

ID/PAD

  1. Inventory of legacy systems
  2. Prioritize & identify the high-risk legacy systems (to the enterprise)
  3. Assess identified legacy system to determine the actual level of risk
  4. Define and develop plans to evolve high risk legacy systems.
17
Q

Describe step 1 in the process of evolving legacy systems?

A

1.Inventory of legacy systems

  • Create a list of all systems that are in use today & accessible by users.
  • This can be challenging because sometimes the legacy systems aren’t formally retired, just used less frequently
  • Other old legacy systems are used frequently, but generally ignored because they are hidden behind other systems so other users might not realise they are using them (ie. In healthcare orgs)
  • Should describe each item on the list (eg., its purpose, implementation, a internal contact etc)
18
Q

Describe step 2 in the process of evolving legacy systems.

A
  • Focus on the legacy systems that deserve further attention from a security perspective. Pinpoint the ones that present the greatest risk to the enterprise.
  • Limit this list to a small subset of all of the existing legacy systems.
  • Do an assessment of each item on the inventory list (eg., data sensitivity, government requirements, functional criticality, age, accessibliity, extent of previous testing)
19
Q

Describe step 3 in the process of evolving legacy systems?

A

Think of attack patterns & conduct a high level risk assessment to determine the actual level of risk)

20
Q

Describe step 4 in the process of evolving legacy systems?

A

Define and develop plans to evolve high risk legacy systems to an acceptable level of risk.

This then looks at the options enterprises have for the evolution of legacy systems:

  • Develop policies.
  • Harden the legacy system
  • Enhance the legacy system
  • Replace the legacy system
21
Q

What options to enterprises have for the evolution of legacy systems?

A
  1. Develop policies.
  2. Harden the legacy system
  3. Enhance the legacy system
  4. Replace the legacy system
22
Q

What evolution approach could be proposed for a legacy system identified as a minor risk?

A
  1. Develop a policy
    ie. training or tweaks to network security appliances (ie, firewalls)

Changes such as these may not actually eliminate the security risk but make it less likely to happen.

They are also effective, rapid & low-cost

23
Q

What evolution approach should an enterprise adopt if the security risks are significant and the effort (cost) to address them directly is reasonable and can be justified?

A

Harden the legacy system

ie. , Apply patches & corrections to the source code to eliminate coding bugs.
- With greater effort, you can alter the architecture of the system to avoid design flaws that attackers might exploit
- Or integrate third-party software into the system to prevent exploits using a “wrapper” approach to encapsulate & protect the key functionality.

Issues:

  • expensive
  • might create their own bugs
24
Q

What approach should an enterprise with a large, complicated system use to evolve their legacy systems?

A

Enhance/augment the parts of the system that pose significant security concerns ie. replacte the hardware/software, but leave the rest.

But its very expensives & involves considerable business risks (eg., project delays, budget overruns etc)

Many systems are satisfactory with little security risk, but these systems often have parts that face the public or are used widely within the enterprise that represent the primary security conern.

25
Q

What approach to evolving a legacy system should an enterprise adopt if there are security concerns and the system is functionally obsolete/implemented with technologies that make it expensive to operate and maintain?

A

Replace the legacy system.

But it is an extreme case, and very rarely happens.

Enterprises need to consider the transition from and to the new system & the training etc that will be needed.

26
Q

What categories of legacy systems can we apply the process & evolution of legacy systems?

A

All legacy systems
Internal legacy systems (not connected to the internet)
External legacy systems (connected to the internet)

27
Q

What do we need to do for all legacy systems?

A
  • Update the inventory list with the categories of data stored in the legacy system
  • Decommision (remove) systems no longer being utilised by the enterprise
  • Determine the person responsible for the legacy system (e.g. server, application etc).
28
Q

What do we need to do for internal legacy systems which are not connected to the internet?

A
  • Update the software
  • Harden the OS
  • Remove unnecessary components (e.g. unused applications).
  • Develop policies as a treatment to mitigate against the threats .
  • Review & decide which users need access
  • Duplicate data incase there is a disaster
29
Q

What do we need to do for external legacy systems which are connected to the internet?

A
  • Decide the appropriate response based on the threats and weaknesses of the system eg., replace/aggressive strategy?
  • Determine data used/within the system
  • Reconsider users with access to the system
  • Remove sensitive data from the system ***
  • Reduce its access to internal components
30
Q

What is bump-in-the-wire?

A
  • Bump-in-the-wire is a communications device inserted into existing legacy systems to enhance authentication, integrity, or confidentiality communications across an existing logical link without altering the communications endpoint
  • Used when it isn’t possible to harden or update systems with new software/systems
  • Legacy system could output unencrypted data, that is then intercepted and encrypted before being dispatched to another system which potentially has another bump-in-the-wire to unencrypted the data.
  • Effective, but does not work if the legacy system access point is compromised.
31
Q

What is the heart bleed issue?

A

Heartbleed occurs when the following happens:
1) user visits a website and you will see “HTTPS” in the website name (i.e. it is encrypted)
2) For a server to host a client, this costs resources. Typically there is a timer. The timer runs out after a heartbeat message has not been detected in a specified timeframe.
3) If the client sends a heartbeat (e.g. 1kb message), this goes to the server RAM and says “I’m still here!”
4) 1kb is copied from RAM and sent back to the client.
This becomes a problem if a bad article sends 64kb to the server (but the heartbeat message is actually only 1kb). The remaining 63kb is copied back from RAM to the client, and it’s kind of like “bleeding” information such as email addresses, usernames, passwords etc.

32
Q

What legacy systems should we consider?

A
  • All legacy systems
  • Internal Legacy systems: not connected to the internet
  • External Legacy systems: these are connected to the internet

ECS (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions