CCT 106: Sunset for Your Systems - Navigating the EOL/EOS Maze and the CISSP Exam (Domain 2.5)

Ready to bulletproof your business against cyber threats that never take a day off? This week, Sean Gerber steers you through the murky waters of cybersecurity for small and medium-sized businesses, with a treasure trove of wisdom on asset management and the art of gracefully retiring your tech relics. We're not just talking about keeping the digital lights on—we're talking full-fledged, fail-proof fortresses.

Ever wondered what happens when the 'Billy Bobs' maintaining our legacy systems ride into the sunset of retirement? We're tackling the gritty reality of end-of-life assets, sharing war stories, and practical tips on preserving operational continuity amidst the technological twilight zone. With an approach that balances performance with risk management, you'll learn how to assess and prioritize your cybersecurity efforts like a pro, tailoring your organization's risk tolerance to the uncertain terrain of the cyber landscape.

But wait, there's more than just keeping the old gears grinding! We're crafting an asset retirement plan that's more Iron Man suit upgrade than 401k portfolio. From seamless transitions to savvy extended support strategies, you'll discover how to navigate the endgame of tech asset life cycles. And for those sharpening their blades for the CISSP exam battlefield, we've got a strategic blueprint to help you emerge victorious. Tune in, fortify your digital dominion, and join me, Sean Gerber, as we turn cybersecurity challenges into triumphs.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, it's Sean Gerber, the CISSP Cyber Training Podcast, and I hope you all are doing wonderful today. Today, we're going to be talking around domain 2.5 and we're going to be getting into end of life and end of support, but before we do, we're going to get into just kind of how to solve one article I wanted to talk about as it relates to security guidance for small and medium-sized businesses, one thing you've talked about as it relates to the CISSP. One thing you need to deal with is you're going to be dealing with small and medium-sized businesses in your endeavor, and a lot of the folks that listen to this podcast are from all over the globe. They're everywhere, right? We're very blessed with that regard. Well, I do have a lot of people that are from the UK as well as the United States, and there's some really good security guides that came out both from that have been all over, but I know one piece that I've seen is from the NCSC that is designed. It's a national cybersecurity center in the UK and has a guidance around how to help small and medium-sized businesses. Now this online safety guide is available. You can provide this to your people that, if you're like, are working as a consultant. You can provide this information to them. There's also the NIST and CISA in the United States have another similar type of guide as well. So utilize these, put these in your tool chest as you're looking to give opportunities to the companies you're working for to help them mitigate these problems. Now, if you're the person that's in mitigating them, well then now you have another tool in your proverbial tool chest to be able to use to help mitigate some of the risks that you're going to be running into, and so it's important that you have that and you provide this to them. One statistic I thought was interesting in here, where they had as a UK government report that from April of 23, a third, that's 32%, of the UK businesses suffered a security breach or cyber attack in the previous 12 months. Now this is April of 23. So, coming up on a little under a year from today, this is January of 24. The previous 24 months rising from 59% to medium sized businesses. So that's pretty substantial. As it relates to the overall SMB environment and, I would say, from an attacker's perspective, the SMB, or the small and medium sized businesses, are one that are targeted strongly. I mean, they really truly are. They're ones that we, the hackers, would focus on because they know that in most cases, they don't have the resources to protect them. They probably be more on the medium sized businesses personally, just because there's usually more money in the medium sized companies than there are in the small businesses. But if you're a bad guy or girl, you're actually you know what, wherever I get the money, I'll get the money, and if I got to squeeze it out of small businesses, then that's what I would do and that's so. It's a really bad way to look at life, but that's how they think about it. At least that's how we anticipate they think about it, because being a hacker for a few years, it was one of those things where that's we're supposed to think like that. Okay, so we're going to roll into domain 2.5. And this is end of life and end of support. Also going to say that the first time I did this. When I say that you're asking, you're probably saying why. The first time, yeah, I've recorded this twice now because of the fact that you got to make sure you have all of your your connections correct. I hate it when I do that. There's nothing worse than recording a podcast twice because you lose yeah, but it does get better. The second time I will say that. So we're going to be talking end of life and end of support for, as it relates to the CISSP, and this is related to domain 2.5. And what the ultimate goal is to understand end of life and end of support, and when it comes to the CISSP exam, how do you deal with that? What is the overall purpose behind that? Now, before we get started, actually, I want to just put a little plug out there for CISSP cyber training. Go check it out. I've got a lot of great content for you. Obviously, I want to put that out there. It's available to help you pass your CISSP exam. There's a lot of awesome stuff that's there, and I'm actually coming up with something new that's going to go into my blueprint, which is going to tie to all of the chapters of the CISSP book, my podcast that tied to them and then where we're at. So you'll be able to see that You'll have a little to have access to it, to know where do I go. Look in the book Then also, if they look and see if there's been a podcast that has been done for it as well. So obviously I have my training that's available to you. That's there that we've done them through the entire book. But then I've also go through on the podcast and tie to each different section within the book as well and talk to them at depth. Hence, that's why we're going to be talking about end of life and end of support today. So think of when you're dealing with end of life, it is the sunset of an asset. So when it's going away, it's going to be end of life, right, doesn't need to be around anymore. Once it reaches that, the manufacturer will stop producing it, meaning no more new units will be made of that product itself. Spare parts will be hard to find, and that's I've seen in a situation where, if there's a device that is maybe very critical to a business, I've seen individuals go and buy these off of eBay and store them in a closet somewhere in the event that that system goes down. That's a really bad way of running a business, but sometimes you have to do it that way because the older system is either there's no manufacturing process for it or it may cost you gazillions of dollars and your profit margins aren't high enough that you can actually make any money at it. So sometimes that happens. So that's when it goes to end of life, and this is where these all these equipment can be extremely scarce or expensive to have, and then finding the people to even repair them can be challenging. I've seen it where people working on really old systems yeah, you got to have a retainer with a bunch of really old guys with long beards, because they they're just, they've been around forever and they manage those systems. So they're out there, you can find them. They're really old and but they still do a good job on what they're working on. Now the some manufacturers may offer a limited repair service for a period after end of life, but this service typically is phased out eventually and you won't be able to access it. So it's an extended support, which we'll talk about here in just a little bit, but it's very limited, and do not use that as a thought process where, well, I can just stay on extended support for a period of time. Yeah, no, you can't do that. That. That will go away too. Kind of like the Dodo bird it eventually died At the end of now. We're dealing with end of support as the end of support. This is where the support curtain or support chain actually stops. At that point, that's when you don't have security patches, you don't have bug fixes and you don't have driver updates All of that will go away when you have your end of support. Time turns, it comes up and the piece of equipment turns into a pumpkin and you can't use it anymore. So that's important that you understand that, because there might be situations where you're willing to accept the security patches not being updated for a period of time and if that's the case and I've seen this happen where you can go two, three, four, five years, maybe, maybe that you could do that, but you've put this in a protected bubble or a protected environment, that may be acceptable, depending upon the risk and the situation you're dealing with. However, that's not a way you want to operate your business long term. So you'll need to have a plan on how do you get off of the end of life and end of support train, because if you can't patch it, you can't fix bugs in it and you can't do driver updates. You are setting yourself up for potential bad bad day. So something just to consider as you're going down this path. Now, there's risks of retaining end of life and end of support assets. Now, if you go to a company, if you haven't been hired or if you're not working at one right now, that's great. When you get hired, you'll find out there's a lot of end of support and end of life assets. Not all companies are this way, because there might be a requirement from a compliance standpoint, but most companies have end of life assets that they're dealing with. You're going to run into it, you're going to see it, so just plan on that Now. If you're already working at a company, you know what I'm talking about, right? You already know that there's a bunch of end of life systems that you're dealing with, and the hackers know this too, and hence they're hoping that you don't patch them and get them fixed because they want to leverage them. So if you do, there's some risk for hand management this issue. And what are some of these risks? Obviously, increased security. Vulnerabilities are a big factor when you're dealing with end of life and end of support assets. When they are able to gain unauthorized access, they can steal the data, they can disrupt operations. All of those factors can come into play, and so, therefore, it's important that you obviously update your systems, and even though it might be a very mundane or very simple vulnerability, a bad guy or girl can leverage them. Now you have to raise the way. The risks. Is this system front facing? What I mean by that is is it on the internet? Is this system dealing with critical operations? All of those things you're going to have to play through in your mind of going do we want to retain an end of life or end of support system? You also may run into compliance issues, so there might be regulatory requirements that are forcing you to update these systems. One example of that is in the United States Defense Department. There's a thing called CMMC, which is the Cybersecurity Maturity Model Certification, and these is for the defense industry. You have to have your systems updated and operational and basically in a way that they can't get hacked from being old and so that you did to maintain that certification. You're going to have to ensure that you have an end of life system to ensure that these systems are not end of life anymore. So it's important that you have that, because if you don't have that United States, you cannot work for the defense department, and this isn't just for the main people like the Boeing's and the Lockheeds. This is for these subcontractors that are making the widgets that go into the missile system or the space shuttle, space systems that those are, the subcontractors, have to maintain this maturity certification as well. So it's important that you have that understanding and you work with your compliance folks to make sure you meet it, because if you don't want to lose business or not get a contract because of having end of life systems that should have been replaced, reduce functionality and performance, end of life systems and assets they may not be compatible with this new software that's coming out, seen this time and again where they had a really old system and they virtualized it and they put it on a new virtual farm. Well, that's not, and they did that because the software wasn't compatible. The problem is is when you're dealing with an eight bit processor and you're putting it on a 64 bit processor, that doesn't work so well and things don't work real well. So, therefore, what ends up happening is is you have to do a lot of voodoo magic to make that system work. So you're going to run into problems when it comes to these the software integrating with the hardware and then how do you work through that? And then, as time goes on, the individuals that were maintaining that and get that, that voodoo magic, operational, that that little system that Billy Bob has as his pet project well, billy Bob gets a new job, moves on someplace else. Billy Bob retires because he's so old. What are you going to do? How are you going to handle it? The other thing you run into is outdated software may suffer from performance issues, leading to slowdowns or crashes. You may consider the operational disruptions that occur to this because, like say, these systems are in your critical areas within your business and now, all of a sudden, your business comes to a screeching halt because this system doesn't work anymore. Hence, this is why I talked about having that device. They bought off eBay and they have it sitting in the closet. The problem with even doing that is you're making the assumption that when you pull it out of the closet it's going to work. It may not work, and so you just spend all this time and money thinking, hey, it's going to work, it's going to work, and then you try to boot it up. Yeah, it doesn't work. So obviously, if you're going to do that, you're going to want to make sure that that system is operational before you put it back in the closet and that may or may not be as easy as you may think. So it's just a really bad idea. You can do it for a band-aid approach, but the moment you start making these kind of accepting these risks and continuing building your operations based on these risks, it does cut into the bottom line right when you have to put new systems in. It costs a lot of money and therefore, if your margins are tight, you don't want to do it. But on the flip side is what happens if you go down and you can't make anything? So that margin, that let's just say that million dollars that it cost you to keep your business operational, you now are losing a million dollars a week and you're down for a week. Well, was it worth it? Yeah, it'd have been worth it, but you have to. As a CISP and as a security professional, you are going to have to explain that to the leaders so that they understand this overall situation. And again, you don't want to have these disruptions. This also comes from a hardware standpoint and from a software standpoint. Now, what are some strategies for managing your end-of-life and end-of-support assets? You want to look at proactive inventory and risk assessments. This would be conducting regulatory inventory of all your assets and you want to have that taken care of from their models, their ages, the software that's loaded on them, the dates that they go end of life and end of support. And you want to understand the security risks associated with each one of these, based on its age, criticality and the potential vulnerabilities that it may have. I also want to throw in there you may want to consider it's when I say criticality, it's location within the network. If a system is front-facing, which you mentioned earlier on the internet, then you may want to consider that at a higher risk than something that might be in the bowels of your overall system, because if it's sitting down way down deep in your business network, it's still a risk, but it may not be as substantial as the one that's sitting on the front of your front-facing part of your internet. So just kind of consider that as well. You then want to prioritize your efforts based on the identified risks and your organization's risk tolerance. Each organization has a risk tolerance. Each organization will consider it differently. Now I will tell you their risk tolerance today may be different than what it is tomorrow, and it also may be what it is today may be different after you convince them that their risk tolerance is probably flawed. So it's up to you to kind of help influence them in a direction that will be successful. You want to develop an asset retirement plan and isn't like your 401k. You need to have one of those, true, but you need to have a plan for your assets, on how you're going to take them out of service and how are you going to retire them. How do you upgrade to new versions? This is also the preferred option for high risk or critical assets. You want to have an upgrade path for these systems and, ideally, you want to replace them with a new asset. Now, one thing to consider is if you do have older assets that are still not end of life or end of support, which were pulled off the line because a new system came online, you may want to consider repurposing these if you have to be cost-conscious, which is what we all want to be. You may want to consider repurposing these older systems to these ones that are end of life or end of support. It may allow you to give you a few more years before you have to come back and address it. Now you have to ask yourself, from an opportunity cost perspective, is it worth doing that work twice versus just doing it once? But those are things you're going to have to consider when you're putting in or mitigating these end of life and end of support aspects. And then again, if they're retired, you may want to consider again putting them into potentially low risk locations. But again, I come, bring back to the opportunity cost piece of this and doing double work. You may not want to have to do the work twice, but you want to set clear timelines for each of these actions and allocate the necessary resources enabled to get this done. You want to consider extended support options. Now, we talked about that just briefly at the beginning. What is that? Most manufacturers will offer you an extended support for their hardware and software, which will buy you some time so that you pay them enough money. They will keep your system alive. Now, again, it still will turn into a pumpkin, it's still going to end up dying at some point. You can't run this out forever. I've had to deal with this numerous times, where it costs a lot of money and the businesses are willing to accept it in certain cases, versus them going well, okay, I'll spend an extra $2,000 a month for extended support, versus me costing me a million dollars this year that I've got to put in this new system. Okay, that may make sense, but it's still going to stop at some point. You may get a year, two years out of this, and so maybe it cost you $50,000 to save yourself a million. You're still going to have that million dollar price tag and now, because of inflation, it's actually $1.2 million in two years. So those are the things you're going to have to work through with your business leaders to make sure they understand this as well. And when should you do consider the extended support? You need to evaluate the security risk by the using extended support, and this is where I come back to is. In some cases, the system itself might be, the hardware might be supported, but and the software might be supported mostly, but maybe not completely. So then you have to consider is the? Is my exposure from a hacker's perspective still there. Is it worth spending the extra money? And it might be for a year. I mean, personally, I've seen this where a year is probably a good amount and that gives you a little bit more time, more of an offer ramp to be able to upgrade these systems. But you need to really consider the plan when dealing with with going. Staying on the extent of support, I'm not a fan. I'm a fan of it to help get you in a situation, but usually extended support is because you didn't have a good plan to begin with and therefore that's why you're going on the extended support. So and I say that I'm not pointing fingers at anybody because I'm pointing fingers at myself I didn't have a good plan and therefore I ended up putting people on extended support and it wasn't good and it costs a lot of money, but it was better than the alternative of just letting it go bad. You want to look at the secure disposal practices as well. How do you, when retiring the assets, how do you dispose of them, because the assets themselves may have sensitive data they may have. Also, e-waste is a big factor where you have to give this in these devices. They don't want to just throw them in the landfill. So do you have a secure way of destroying them so that they're not polluting the environment? You may have a process by which, if you're dealing with sensitive data, that there's a disposal process in which you hand them over to the company to dispose of it and then they send you a letter of attestation that big $10 word of saying there's a letter saying we blew it up, we destroyed it. You have to have that letter sometimes, depending upon compliance requirements, from a regulatory body they may require you to have that saying that, yes, this system was wiped and it was physically destroyed. So you just want to consider how you want to deal with the physical destruction for highly sensitive assets and basically ensure that their absolute data or ratio has occurred with these systems. Now there's some other tools and resources that can be available for you during end of life aspects. One is the manufacturer websites themselves. They may have an end of life and end of support process for you of how do you deal with the extended support, how do you deal with patches. They may have all of that for you. Many of the manufacturers do have something in line with this Not all of them, but a lot of them do, and they may have dedicated products, lifecycle pages for support, knowledge based on specific asset models as well on how to deal with that. So the manufacturer websites are a really good resource to get information about the devices themselves. I will say that obviously not all of them are that way, but it's a great resource. To go back to Industry associations now, sans and NIST in the United States offer valuable resources on how to deal with asset life cycle management. I would highly recommend you go look at those. I'm sure the UK and other countries China has them as well on how they deal with the assets. They try to define that to the point where you they try to take the guesswork out of it because they're trying to make it an assumption that not everybody understands what to do with it. So they've provided this information and there's no real training. I mean honestly. Cissp cyber training can provide you a lot of things you need for your business from a security standpoint or what you need to do to manage your risk, and so therefore, there's just not a lot of training out there. By that they more or less get you out of college graduate. You put a stamp on you that you're now a security professional and you're in business. Some other things to consider as you're looking at the end of life and end of support is around compliance and regulatory requirements. We talked about how important it is from an industry regulation standpoint that you have this defined well within your organization. And it could be when the situation where, if you don't comply with end of life and end of support situations, you could deal with hefty fines or potentially even reputational damage. So it's important that you work with your compliance folks if you have some to kind of determine are there any requirements for your organization? You also want to determine if there's any internal policies that you may have within end of life and end of support. Now the policies could be internal within your company. They also could be third parties that you work with. Let's say, for instance, you are a company that provides supplies, information to or supplies to another company and you have to maintain an end of life and end of support documentation for them. So there may be that situation where you have to ensure that you meet their policies, not just your own. So it's an important piece that you work with if you're internal folks, to make sure that you understand all of the potential regulatory requirements and or compliance requirements to maintain end of life and end of support. Now, when we're dealing with business continuity and disaster recovery, if you're not connected with BCDR, there's a situation where we talked about this a lot on CISP, cyber training around business resiliency, and you want to ensure that your business stays resilient in the event that there could be a cyber incident of some kind. Therefore, you need to have a business continuity and disaster recovery plan in place. Well, you need to know that these critical systems that are running your critical environment right, they're running your business, your shop, your manufacturing facilities, whatever they might be. Do you, are they end of life and are they end of service? If they are, then you need to ensure that you get them upgraded as soon as possible to ensure that you're mitigating that level of risk. Now, again, you may be in a situation where your company can't do that at this moment. You need to have a good plan on how to mitigate that risk short term and then the long term plan of actually upgrading these systems so there are no longer a problem for your company. You need to develop some fallback plans as well, as, if something were to happen, how do you deal with it. Is it the server that is sitting in your closet? Is it the? Maybe you have a virtual farm environment that's already stood up and ready to go. In the event something bad happens, you can fall back to that. So you need to look and understand the temporary workarounds, failover systems and then potentially expedite your upgrade schedule to ensure that these systems are at the highest level they can be, especially if they're critical. Now, again, you got to take a risk based approach to this, but you need to truly understand the critical components within your organization so that you can best protect the company from a cyber incident. Third party support and open source alternatives there are some third party support options out there that can help you with your end of life and end of support systems. You may want to engage with those to have them come and take care of this for you. That's a possibility, and now I will tell you it won't be inexpensive, but it may be based on your manpower constraints. Something that you would consider is hiring a third party to help you with this. It could be a cost effective solution for you. You just you have to to weigh that out with what your overall organization's plans are. You want to consider any other open source alternatives, where sometimes they may be all different aspects of using open source products. I'm not a big fan of it. Just because of the fact that it is open source, now that doesn't mean that open source is bad. There's a lot of great things that come out of open source pieces, but if I'm dealing with a critical infrastructure within my organization, I may not want to put that on an open source platform. But you have to weigh that risk out and determine is that a way that maybe can get you from a situation where you're in right now or you need something immediately to getting you to before you can actually bring up a new system? Maybe that's a good bandaid or a good off ramp to help you. Again, you got to very, very carefully vet these, the security around that open source product, whatever it might be that you're utilizing, before you would potentially adopt it. Then we're dealing with employee awareness and training. That's an important factor just because, as I've learned over the years, if I teach people that I work with my employees that understand these end-of-life systems, if I teach them how to manage these systems, then when things go bad they can reach out to me and say, hey, we had a problem with this server. I've also seen it numerous times where in these end-of-life situations that if I've teached the employee, or taught the employees that if they run into a situation where there's an end-of-life server, that they should let us know ahead of time, right, well, we've had a situation, I've had numerous situations, where an employee will go and tell me all of a sudden, hey, this system is going to be end-of-life and I go, I didn't even know it existed. And there's been plenty of times where these systems have just miraculously appeared that I didn't even know existed within our organization and that that's happened me throughout my entire career in cybersecurity. So it is a great thing that if you can teach employees the importance of end-of-life and that they should get ahead of this and tell you before you end up getting into a situation where it, no kidding, is end-of-life, that is a great relationship, because in cybersecurity it's all about influencing and helping manage the relationships with individuals within your organization. Then the last thing I want to kind of get into is continuous monitoring and improvement. You really want to ensure that you have all of these systems that are up to date, that your end-of-life and end-of-service dates are monitored. You want to have this in a centralized location where people can determine that. Now, at the same time is you want to ensure that this is best protected, because you don't want a spreadsheet sitting out there with all of your computer names when they go end-of-life one of the vulnerabilities. That would be a very target-rich environment for some bad guys and gals. So it's important that you you protect that. But at the same time is you have a way that you can manage this in a way that is keeping them up to date and current. So you really want to understand your strategy. What is the plan that you have for your organization? How are you going to get there and then start working your plan? It's really important that you at least come up with some plan. Focus on your critical systems, first, address those immediately, then your next, and so on and so forth, and that way, at least at a minimum, you're trying to eat the proverbial elephant one bite at a time. That is how you go about it, at least getting from a position of not having a good program to being in a position where you at least you have a viable program available to you. All right, that's all I have for today. Again, check out next Thursday we will have the CISSP exam questions that are tied to this podcast. Also, go to CISSP cyber training to gain access to some really great content that's there and available for you. You'll be assumed my Blueprints is amazing. People talk about my Blueprint. They think it's the greatest thing to help them get through the test and to basically get through the studying for the test. It's just a programmatic approach to studying for the test to ensure that you have all the tools you need to pass the CISSP exam the first time. All right, have a great day and we will catch you all on the flip side, see you.