Week 7 Flashcards
What is the heartbleed issue?
Heartbleed occurs when the following happens:
1) user visits a website and you will see “HTTPS” in the website name (i.e. it is encrypted)
2) For a server to host a client, this costs resources. Typically there is a timer. The timer runs out after a heartbeat message has not been detected in a specified timeframe.
3) If the client sends a heartbeat (e.g. 1kb message), this goes to the server RAM and says “I’m still here!”
4) 1kb is copied from RAM and sent back to the client.
This becomes a problem if a bad article sends 64kb to the server (but the heartbeat message is actually only 1kb). The remaining 63kb is copied back from RAM to the client, and it’s kind of like “bleeding” information such as email addresses, usernames, passwords etc.
What are legacy systems?
There are multiple definitions of legacy systems. Managers may believe legacy systems are ones where the cost is higher than the benefit. Developers may believe legacy systems don’t support the business operations anymore. They are often systems that are resistant to evolution.
Why do organisations keep legacy systems around?
- They may have business critical info and deep embedded knowledge.
- Companies may have spent a lot of money and time to build and maintain them - large investment
What are the characteristics of legacy systems?
- May be at risk of modern day cyber concerns. Cyber security may not have been considered when the system was built.
- Design quality of legacy systems can be poor. Does not respond to change easily
- Difficult to integrate and migrate due to a lack of understanding among staff
- Undesireable performance
- Poor documentation
What is SABRE?
Airline reservation system developed by IBM.
- Prioritised on seat availability.
- As time went on, other functionalities such as meal upgrades needed to be added. And an increase in users. The system became slow.
- The importance of legacy systems: it was sold for $778 million. Still worth a lot, although they are legacy systems
- The primary concern is not cyber security but the concern of some business units losing independence.
Give examples of legacy systems in the mainframe era, client server era and network era.
See the Legacy Systems video.
What is the process of evolving legacy systems?
1) Create an inventory of legacy systems, who has access to them etc. Might appear to be simple, but some systems may be going out of use or are masked by modern systems but are still in use! What value does this have, why was it created, who manages the system, how accessible is this system (general public? internal only?)
2) Prioritise and identify high-risk legacy systems: make an initial assumption.
3) Assess these identified legacy systems: dig deeper to gleam what we think is important.
4) Define and develop plans to evolve high-level legacy systems: are we going to do something about the system or evolve it?
What options are there for evolving legacy systems?
- develop policies: we might say there are some security concerns for the legacy system, so a policy to address the risk could be created.
- Take some ageing components and use modern software to contain the legacy systems (wrapping these components).
- Hardening is when vulnerabilities are addressed in the legacy system, perhaps via wrapping. Costs are difficult to define or estimate.
- Enhance the legacy system by developing and integrating new hardware and software: differs from hardening in that considerable software is generally added to the system.
- Replace the legacy system with alternative system to serve the needs of the business.
What legacy systems should we consider?
- All legacy systems
- Internal Legacy systems: not connected to the internet
- External Legacy systems: these are connected to the internet
What steps should we take for all legacy systems?
1) Determine what categories of data we have stored on these legacy systems.
2) Decommission systems that are within the environment but are no longer being utilised by the organisation.
3) who is responsible for the legacy system. These people would be in charge of decommissioning or a good point of contact.
What do we need to consider for internal legacy systems?
- update the software on the legacy system (make sure it’s up to date and configured properly) and begin hardening the OS, remove unnecessary components
- develop policies as treatment to mitigate against the threats presented by the legacy system
- determine access to the legacy system: what application accesses are allowed
- ensure the legacy system and data are properly duplicated for disaster recovery
What do we need to consider for external legacy systems?
- Is it possible to decommission or replace the legacy system server?
- Determine the data assets that the legacy system utilises
- Continually consider the weaknesses in the legacy system and respond accordingly
What is a bump-in-the-wire?
It can be considered as an appliance. An element that can be added to the network to provide authentication, integrity or confidentiality.
A legacy system could output unencrypted data, and we don’t want outsiders viewing private data!! In this case, a bump-in-the-wire can encrypt and decrypt data.
What is SABRE?
It was a joint project between IBM and American Airlines.
- used for reservations
- realtime flow of data
