These could include:
- Legacy IT systems which have been replaced.
- Systems or infrastructure no longer used owing to a merger or acquisition.
- Systems which have been used for testing or proof of concept.
- Servers which have been replaced by cloud storage.
- Redundant web servers.
When such a service is no longer needed, it should be thoroughly decommissioned so as not to pose a security risk.
Some services may still be necessary for certain purposes or users, making restriction rather than total decommissioning more appropriate.
The potential consequences are the same as with any other vulnerable information system, including:
- A direct risk when a service is inadvertently left running and accessible.
- Secondary risks resulting from failure to remove components such as binary executables or configuration files, useful to a hacker attempting a multi-layered attack.
Not having an effective decommissioning strategy and regime may result in your organisation believing that a service has been shut down when in fact it has not, or simply forgetting that it exists.
How to decommission unnecessary services
- Conduct regular and comprehensive IT audits across all sites to determine the existence of unnecessary or redundant services, equipment or infrastructure.
- Use periodic port-scanning to check for unnecessary services.
- Be aware of all components of a service so that you can make ensure total decommissioning or selective restricted use.
- Maintain a list of which services should be made available.
- Completely decommission any service that is not necessary.
- Maintain the same security procedures on services which are planned to be decommissioned, as any other, live services, including penetration testing where appropriate.
- Restrict services that are still necessary for some purposes and ensure that those intended for local use only are not made publicly available.
- Make a record of any temporary services which you will eventually need to disable.
- Perform thoroughly post-decommissioning checks to ensure that the procedure has succeeded. Use systematic tools such as port scanners to do this where possible.
- Ensure that any decommissioned hardware is disposed of in a safe, appropriate and compliant manner.