“Fit and forget” – the siren call of the IT widget seller. Buy our thing, plug it in and it “just works”. For everyone else working in or with tech, this is fabulously attractive. One less thing to worry about.
Trouble is, it’s not just the users who forget about the device. It’s the manufacturers, too. When you’ve next got a rainy afternoon, try cataloguing everything connected to or running on your network. Work out how much of it is still supported – starting with counting the devices whose manufacturers have themselves long gone to the great bit-bucket in the sky, or been absorbed by another company, their brand subsequently lost to history.
All of these orphaned devices – and pieces of software, too – share a problem. No-one is issuing security updates for them. So when some enterprising hacker historian finds an exploit, you can’t fix it. Even if you remember you own the thing in the first place.
Amusingly, sometimes there are still updates, but the world has moved on so far that you can’t even talk to the box to apply them.
Case in point – I recently tried to reconfigure a Linksys wireless access point. The company was bought by Cisco many moons ago and the most recent firmware update was in 2013; it’s end of life and out of support. But hey, the thing was still working. The problem?
The configuration interface (a web page) uses SSL3 to secure itself. With an expired certificate. None of my shiny up-to-date browsers are prepared to speak SSL3 – because it’s known to be vulnerable – and certainly not with an expired certificate. So the fact that no-one could remember the password for this device – likely last looked at, or updated, five years ago – didn’t even matter.
I could probably have persevered, either downgrading the security settings on my browser or finding an old browser somewhere and connected, but what would the point have been? It would remain a network vulnerability, unsupported and unpatchable, and a management headache. Equivalent kit can be found for £30, so in this instance the easiest thing was just to replace it.
Of course if this had been a large network with dozens of the units that would have been a different story. Even if the physical replacement cost remained low, the professional services time and disruption cost would have been material.
The moral: it’s worth paying more for kit that will remain supported longer – this is why “Enterprise” kit costs so much more – and it’s essential to know the support status of everything you own. There are vulnerabilities everywhere – in printers, in displays, in KVM switches – the list is endless. The same is true of software – especially free and open source. If it’s not still being maintained, with rapid response to identified exploits, it’s more trouble than it’s worth. Either replace it or, if you can’t, sandbox it away from everything else and monitor it to death.
A bigger picture 