Trend Micro: Patching Legacy Systems Is Easier Said Than Done
INTERVIEW: Simon Edwards, cyber security architect at Trend Micro, discusses WannaCry at Silicon’s Infosecurity stand
WannaCry’s spread and the havoc the ransomware wrought has been laid firmly at the doorstep of legacy systems.
But there is an argument that in the case of the NHS, old software is embedded at the heart of expensive medical systems with long working life expectancy, making patching and updating operating systems and software a much more daunting task than following a digital transformation doctrine.
At Silicon‘s stand in Infosecurity 2017. Simon Edwards, cyber security architect at Trend Micro, explained that cyber security in large organisations such as the NHS, use machine with embedded systems that they cannot patch as the ownership of the computer at the core of a machine lies with the vendor not the user.
Languishing in legacy
“The NHS took a lot of criticism because of unpatched systems and things like that and it’s something we’ve been picking up for the last 12 to 18 months now, which is a lot of these systems they can’t patch,” said Edwards.
“So if you think about it, [hospitals] go an spend a million pounds on an MRI scanner or a blood analysis system and in the middle of this is a computer but obviously the scanner is the important bit, and the hospitals don’t own that PC that’s sitting at the core part of it, the vendors; whoever supplied the MRI scanner.
“And so it falls out of the scope of their [the hospital’s] security policy so they couldn’t patch it and the vendor won’t patch it because the MRI scanner will probably stop working, so what we end up with is a whole bunch of legacy systems that nobody can do anything about,”
Edwards explained that Trend Micro works with organisations to combat this with a virtual patching system, but the scale of legacy systems, notably in the public sector, is a significant challenge to overcome.
For the full interview check out the video above.
There was plenty more going on at the Silicon stand, with interviews with Symantec on IT integration and security, and a chat with Darktrace on IoT insider security threats.