Outdated digital infrastructure, including routers, network switches, and network-attached storage systems, has quietly emerged as a significant risk for organizations. While it may seem more cost-effective in the short term to maintain these aging devices in obscurity, doing so often means relying on outdated configurations that are no longer secured or supported by vendors. In light of the growing sophistication of cyber threats, especially with the advent of generative AI tools that facilitate the discovery of system vulnerabilities, Cisco has initiated a campaign to heighten awareness about these risks and to encourage organizations to modernize their infrastructure, including both Cisco products and those of various manufacturers still in use.
Named the “Resilient Infrastructure,” this initiative encompasses a range of activities, from research to industry engagement, along with strategic changes in how Cisco manages its legacy equipment. The company plans to introduce warnings for products approaching the end of their life cycle, ensuring that customers receive explicit alerts when attempting to use insecure configurations. Over time, Cisco aims to eliminate outdated settings and interoperability options deemed unsafe, reinforcing the message that maintaining legacy systems can expose organizations to unnecessary cyber risks.
“Aging infrastructure worldwide significantly heightens risk,” stated Anthony Grieco, Cisco’s chief security and trust officer. He emphasized that these outdated systems were not designed to withstand today’s threat landscape, and failing to upgrade them inadvertently opens the door for malicious actors.
A study conducted by WPI Strategy, an advisory firm based in the UK, examined the prevalence and ramifications of end-of-life technology across the critical national infrastructure of several countries, including the United States, United Kingdom, Germany, France, and Japan. The findings highlighted that the UK, followed closely by the US, faces the highest relative risk due to the widespread reliance on legacy technologies in vital sectors. In contrast, Japan exhibited the lowest relative risk, attributed to its commitment to regular upgrades and a strong national focus on digital resilience.
The research further indicates that cybersecurity incidents worldwide frequently result from attackers exploiting known vulnerabilities—issues that could often be mitigated by timely patching and upgrading outdated technology.
Eric Wenger, Cisco’s senior director for technology policy, remarked on the hidden costs associated with maintaining an outdated security status quo. He expressed hope that by elevating the discussion of these risks to a board-level issue, organizations would understand the critical need for investment in secure, up-to-date infrastructure. As an industry, he noted, there is a pressing need to make it more difficult for cyber adversaries to succeed in their attacks.
In terms of potential attack methodologies, various MITRE ATT&CK tactics come into play. For example, tactics related to initial access and persistence could be utilized by adversaries looking to exploit vulnerabilities in outdated systems. Techniques for privilege escalation may also be relevant, especially as attackers capitalize on insecure configurations that grant excessive access to sensitive data or systems.
As organizations face increasing pressure to enhance their cybersecurity posture, the implications of ignoring legacy infrastructure are dire. It is crucial for business owners to remain vigilant and proactive in addressing these vulnerabilities, ensuring that they are not inadvertently nurturing an environment conducive to cyber threats.
