It’s tempting to keep older hardware chugging away, maximizing the return on investment and putting off the acquisition of replacements.
A recent Spiceworks survey of more than 1300 IT pros in North American and Europe found that “75 percent of organizations use servers for 5 or more years, with 32 percent using them for 7 or more years, which exceeds most extended warranty periods.” Furthermore, “only 29 percent of companies typically switch out equipment because of replacement policies, and only 26 percent do so because of warranty expiration.”
It’s tempting to squeeze every last dollar of value out of old PCs, servers and storage systems. But that could end up costing much more in the long run. Something secure and stable today could be a major liability in the future if somebody finds a new vulnerability to exploit. Too often security breaches expose vulnerabilities in old equipment.
- A security consultant purchased two database servers off of Craigslist and discovered “millions of unencrypted confidential records of employees, customers and business partners” of a computer retail company that had filed for bankruptcy.
- In 2014, a breach exposed a server at the North Dakota University System that housed private information on almost 300,000 students and employees. According to a subsequent security audit, the server was more than a year past the end of its lifecycle, running an operating system that lacked bug fixes, security fixes and technical support.
- A web server “forgotten” for 12 years ended up costing the University of Greenwich in the UK a £120,000 ($160,000) fine. It was connected to a database of personal data of of 19,500 University staff, students, and alumni.
- A UK online shoe retailer named Office came under the harsh glare of regulators when they learned “that a member of the public had hacked into an unencrypted historical Office database that was being stored on a server outside the core infrastructure of the retailer’s current website,” according to the BBC. That exposed personal data of more than one million customers
- The WannaCry ransomware virus attack in early 2017 temporarily paralyzed much of the UK’s National Health Service, where many units across the country were using old PCs with Windows 7 and Windows XP. The attack targeted a known vulnerability in versions of Microsoft Windows. Microsoft has issued a patch for Windows 7, which many organizations around the world had not implemented, but had not done so for Windows XP has it had already passed its end-of-life date and was no longer supported.
Hardware vulnerabilities surface
These examples point out the need for good security hygiene in making sure software patches are applied and that security measures encompass the entire infrastructure. But they also underscore the folly of using systems that should have been decommissioned when vendor support was no longer available.
It’s not just a software issue—increasingly, vulnerabilities that are hard-coded at the chip level are showing up.
“Spectre and Meltdown are the names given to different variants of the same fundamental underlying vulnerability that affects nearly every computer chip manufactured in the last 20 years and could, if exploited, allow attackers to get access to data previously considered completely protected,” explains online security publication CSO.
Those security bugs impact servers and PCs from top manufacturers including HP, Dell and Lenovo, and it doesn’t matter whether you’re running Windows, Linux or MacOS. Software patches have been issued to protect systems that use Intel, AMD and ARM processors but they may impact performance. If you think this just impacts PCs, thing again: “The real pain from Meltdown and Spectre will be felt on the cloud with the server, not on the PC,” warns ZDNet.
Another chip-level vulnerability known as Foreshadow could “allow a malicious VM running on the cloud to read memory belonging to the VM’s hypervisor or memory belonging to another guest VM,” according to TechRepublic. Furthermore, a series of bugs in Intel’s Management Engine subsystem could allow unauthorized remote code execution.
It’s called end-of-life for a reason
Hardware vendors are constantly pushing old hardware to end-of-life status. Once that happens, support becomes increasingly scarce and ultimately cut off. Firmware updates ultimately end. Replacement parts become increasingly scarce.
That’s why your security policy should include decommissioning, whether you’re operating a large data center, or the server closet at a branch office. The decommissioning process should be rigorous. If you’re involved in a data center decommissioning project, take a look at this checklist from Exit Technologies to get a handle on the various assets you need to evaluate.
It’s possible to recoup some value by disposing of IT assets. But IT asset disposition is not something that should be done carelessly. Data needs to be completely wiped to ensure that no proprietary or customer data can be exposed and exploited. Your company may be subject to regulations governing the disposal of electronics components. You may need to maintain a chain of custody to limit future liability. Check out some common mistakes to avoid.
Have something to add? Let us know your thoughts in the comments below!