How to Protect Your Aging Network
The Office of Personnel Management breach was the most recent and public example of the damage aging networks can help deliver to an organization: A lack of standard practices such as encryption, data masking, and redaction that prevents many attacks.
While realists (and shareholders) don't expect IT to rip and replace aging infrastructure, IT can plan and prepare to protect older networks until it's budgeted for upgrade. Of course, implementing newer network technologies provides organizations with the enhancements these later solutions offer – advances in security, speed, and reliability, for example. There is no excuse for ignoring existing networks and leaving them vulnerable, simply because they will eventually be phased out. In the case of OPM, more public attention has focused on who breached the agency, not how the attack could have been prevented, said Mike Burgess, chief information security officer at Australian telecommunications provider Telstra, at the Check Point Cybersecurity Symposium in Australia.
"But what I observe, what I fear, what I see too much of, is many commentators, many in the industry, and many in media, focus on attribution, with very little focus on the root cause. No one should lose valuable information where at the root cause there is a known remedy. For me, that is unforgivable in this day and age. And I’ve got to tell you — my view at least — too much of this distraction around attribution takes away from focusing on what’s really important here.”
Since most organizations cannot afford to upgrade their networks at once, it's critical they protect existing investment. This is, however, something many North American organizations are not accomplishing, a Dimension Data report found.
"What I find typically with clients is they've got this, 'If it ain't broke, don't fix it,' mentality. Their angle is, 'Why should we turn over the gear and do a technology refresh because a vendor did a technology end-of-life and wants to sell us new products?'" said Rich Schofield, business development director, Network Integration, Dimension Data, in an interview. "They're not seeing the same imperative to refresh on an architectural basis. If the only reason to refresh is end-of-supportability based upon the calendar, you get a lot of organizations rebelling against that a little bit."
Networks in the Americas are among the most vulnerable and dated, the solution provider's annual Network Barometer Report said. Almost three-fourths cannot support organizations' expanding reliance on mobility and 79 percent do not support IPv6, it found. Of these, 48 percent require a simple software upgrade to become IPv6-ready, Dimension Data found. Unlike other nations, which saw security vulnerabilities drop, the percentage of devices with at least one vulnerability rose to 73 percent from 67 percent this year in the Americas, Dimension Data's study found. For three consecutive years, in fact, the proportion of devices with at least one security vulnerability has increased in this region, according to the report.
Dimension Data did not survey organizations' IT professionals; rather, the Network Barometer reviews trouble-tickets and analyzes the data, Schofield said. While it's understandable – and sometimes the only economical approach – for enterprises to push networks past their prime, IT professionals must create proactive management plans for this aging infrastructure, he noted.
"If you're going to do it, do it with your eyes wide open. Don't let your infrastructure age without consciously planning to let it age and taking the right risk-mitigation activities to get the most bang for your buck," Schofield added. "The biggest place that is most impactful that we really focus on … is in operational support model. Obviously, the number one thing that could happen is you let it age, you go past end of support, the device fails and you don't have a replacement."
Hardware failures accounted for 43 percent of network device problems in the Americas in 2014, compared with 26 percent in 2013, Dimension Data's study found. Configuration errors and software bugs also increased, the report found, while human error and asset capacity dropped slightly.
The recession hurt many industries, David Graffia, vice president of sales at dinCloud, told Enterprise Technology. "They've deferred their refresh rates on their endpoints, which makes it even harder to keep up with regulations," he noted. "In the traditional IT environment, there are a lot of moving parts in getting it from compute to configuration. Then, on top of that, the hospital or entity is still forced to go out and buy a bunch of servers for apps like malware and antivirus and patchwork. They're looking to conserve capital. The cost never goes down as you increase resources."
Old-Age Network Care
Organizations first must assess their network equipment to determine each component's age and status; the availability of spare parts, and the enterprise's adoption of solutions such as software-defined networks, managed services, and cloud, said Schofield. Determining how and where an organization can buy spare parts – many of which are available via next-day service – avoids costly inventorying, while also assuring enterprises of availability for older products, he said.
Network segmentation, although a large project taken as a whole, is ideally designed for small-scale rollouts. Also known as zoning, network segmentation can mitigate any intrusions and limits an attacker's movements any further across the network.
Yet this alone cannot protect data and networks, cautioned Dimitar Kostadinov of the Infosec Institute in Dark Matters. Organizations should get rid of network-specific threats when possible by adding network function virtualization-enabled (NFV) security, like hypervisor protection, and ensure encryption is in place, among other steps.
Others opt to outsource the process to service providers, especially those proficient in networking and virtualization solutions.
"Organizations aren't completely unaware they have obsolete gear. They know they do but they don't know how many they have," said Dimension Data's Schofield. "They don't know where they are. There's a lot to consider to minimize your risk."