Steven J. Ross, CISA, CISSP,
MBCP, is executive principal
of Risk Masters Inc. Ross has
been writing one of the
Journal’s most popular
columns since 1998.
He can be reached at
Let me tell you about my microwave. When I
bought it, it was called a microwave oven and I
was going to roast turkeys in it in half an hour.
I am sure it was white then, but it has turned a
pale, sickly yellow. I never did cook a turkey in it
and all I ever use it for now is to defrost sauces,
reheat coffee and nuke the ice cream so it is soft
enough to scoop. Even though it is more than 20
years old, it still works and it does what I need it
to do, so there is no reason to buy another with a
lot of features in which I have no interest.
I am certain that the data centers in every
organization older than 20 years have applications
running in them that are just like my microwave.
They are old software serving a limited purpose,
often for a limited number of business functions
(or for just one). They work; they do what their
users want them to do, thus there is no reason to
buy a new system with a lot of features in which
those users have no interest. Ominously, they
are indicative of the reason that the problems of
cybersecurity will not be solved any time soon.
SOFTWARE, OLD AND NEW
As I was writing this article, a news report
announced the discovery of a flaw in a widely
used software product called Bash. It is freeware
that is incorporated into 70 percent of the
machines that connect to the Internet. Created
in 1987, the software has been maintained
by a volunteer, who evidently introduced the
flaw in 1992. According to the report, the bug,
known as Shellshock, can be used to take over
entire devices, “potentially including Macintosh
computers and smartphones that use the Android
operating system.” 1 Ubiquitous software with a
flaw undetected for 22 years! If ever there was
microwave software, this is it.
Corporations and government agencies have
accumulated their application portfolios over a
period of years. Many still have programs written
in COBOL, running on mainframe computers
and written when most of their employees were
in grade school. Others modernized their systems
in anticipation of the new millennium, now 15
years behind us. In many companies, applications
exist because they served a predecessor
corporation that has long since been acquired and
absorbed, but which lives on in ancient software.
Each of these applications operates atop an
infrastructure, often shared with other programs.
They each get data from somewhere and send
results somewhere else. If not well controlled,
they expose those data to theft and misuse.
It is my experience that very few organizations
know how all their applications work, which
programs they interface with, or how they use
operating system and middleware services.
Yes, that is an over-broad generalization, and,
yes, there might be some organizations that
understand all their systems—all of them, no
exceptions, 100 percent. But I stick to my
assertion—just because it is a generalization does
not make it wrong.
Here is the challenge: Are all applications,
data and infrastructural elements2 protected
at the same level? Or do the “critical”
systems receive the greatest security, control,
recoverability and audit attention, while the rest
are relegated to “tier 2”? As I said in different
context in a previous article, there is no such
thing as tier 2. 3 Small, lightly used, nearly
forgotten systems may be running on the same
platforms or in the same highly interconnected
infrastructures as those depended upon by large
numbers of users for essential business functions.
If they are not protected as though they were
critical, these systems can expose the ones that
are more highly valued when a cyberattacker
comes along looking for a weak spot to penetrate.
IT IS ONLY
Beware the “Oh, it is only…” response. It is only
the forecasting system, which, if illicitly tweaked
just a bit, causes a manufacturer to
over- or undersupply products to the
marketplace. It is only the training system
that enables sensitive tasks to be staffed just
by qualified personnel. It is only the library
system that can be used to display—or to hide—
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article: