Given the recent news about Russian hacking of critical infrastructure systems for nuclear power plants, power grids, water facilities and waste systems, I decided to resurrect a post we did last summer (more than 6 months ago) about being under cyber attack.
Cyber warfare is a serious issue and security vulnerabilities have heightened since this original blog was posted. In the last months we have seen the Meltdown and Spectre hardware hacks and an expanding range of malware exposures on legacy WS2003 systems. It now appears that Russian hackers have virtual control over important infrastructure systems. They mean us harm – not only to infrastructure systems, but to any vulnerable systems that Western democracies may depend upon.
It’s time to close some of these security exposures by moving legacy applications to modern, more secure operating systems and hardware. Procrastination is no longer an acceptable plan.
We are under cyber attack
By “we,” I mean Western democracies, the modern Western style of business and capitalism, and our way of life.
The hyperbole may seem overdone, but WannaCry, Petya, and Russians hacking for fun and chaos are serious matters. Intended targets are Ukraine or US elections and recently, Western critical infrastructure and government systems.
Thanks to complacency, inertia, and resistance to change, the West has left itself vulnerable. Russian and North Korean cyber attacks are not going to stop or slow down. Malware and phishing are also becoming more sophisticated. The recent Google Chrome Upgrade scam, widely distributed through Yahoo and other trusted sites, is just the tip of the iceberg and exploits people’s fear of malware exposure.
Beyond a doubt, business and government will be disrupted by cyber attacks. We will feel the disruption daily, well beyond the realms of shipping, transportation, pharmaceuticals, and hospitals. We can now add the power grid, water and waste systems to that list.
What needs to be done
Organizations need to stop procrastinating. Collectively, we need to invest in, modernize, and protect our software infrastructures – not just once like in the case of Y2K, but continuously. It’s unacceptable that major military, government, and business infrastructures continue to rely on easily compromised computer infrastructure running Microsoft Windows XP, Windows Server 2000, and the soon to be obsolete Windows Server 2003. Methods to hack and compromise these older systems are well documented and widely distributed through the internet, social media, and hacking forums (thanks, WikiLeaks).
When it comes to updating and protecting the software stack, there isn’t just one panacea approach. AppZero’s business is automated software modernization. Having completed thousands of upgrades for hundreds of organizations, we know that our approach to software stack upgrading is a lot better than doing nothing.
Monitoring applications helps
Monitoring the usage of your current servers and applications can provide critical insights. Monitoring reveals your application dependencies, providing both detailed and overall information. For example, which applications are being used and to what extent, the storage, memory and processing capacity you require and when you require it. It also helps capture detailed application dependencies on software libraries, drivers, databases, and other stack components.
Information collected by monitoring helps you determine which applications are not being used and can therefore be prioritized for decommissioning. Decommissioning unused or underused applications reduces complexity and keeps resources focused on critical infrastructure.
Application monitoring data also helps you plan and size server upgrades. It provides valuable insight into how much disk storage, memory, and processing capacity new servers will need, and whether the new infrastructure should be hosted in the cloud or in house. Knowing the cost of each option will guide you to the best use of your resources.
Protect your applications by modernizing
All the monitoring in the world doesn’t eliminate the work involved in upgrading application stacks to new operating systems and software versions to improve security and reduce malware risks.
Several options are available when it comes to upgrading:1 Redevelop an app
You can incur the cost of redeveloping an application on a new OS. However, custom remediation costs can be substantial (more than six figures) and take months of effort and disruption.2 Choose an ISV upgrade path
If an ISV is involved, you might choose their upgrade path, along with the licensing and migration costs – as well as delays – for that single component of the software stack.3 Upgrade a software stack by hand
You might choose to upgrade a software stack by hand. This involves knowing what you still need, installing new versions of all the software components on the new server infrastructure, developing a data and application migration plan for each component, and developing a test plan to verify the migration. You will then need to remediate and rework any failed components. These steps can take weeks of planning, execution, and verification.4 Use an automated migration tool
This option involves using an automated migration tool to isolate all the application stack dependencies from the underlying OS. You then move the application to the new server and OS infrastructure (upgrading database components on the fly if required). Intelligent automation then places the software stack in the right place on the new OS.
Automated migration can take just a few hours and not uncommonly saves many weeks of labour.
Doing nothing is no longer an option
Whatever you choose to do about upgrading, doing nothing is no longer an option. You need to act and close security exposures on old operating systems. In today’s IT world, ignoring the security risks inherent in outdated server infrastructure and operating systems is tantamount to negligence. Organizations that maintain the do-nothing strategy will be disrupted.
If you are serious and need help with upgrading your Microsoft application infrastructure or would like to understand automated migration, don’t hesitate to give us a call. We live the application modernization challenge every day and would be pleased to share what we have learned.