Forgotten Machines Become the Easy Way In

Introduction

One of the most durable cybersecurity lessons associated with the Gary McKinnon case is that attackers do not always need sophisticated techniques when forgotten systems remain exposed. McKinnon became known for searching military and NASA networks while pursuing claims about UFO-related information, yet the security lesson extends beyond his motives. The case highlighted how remote administration tools, weak credentials and poorly managed systems could remain accessible long after organisations believed they were adequately protected. Prosecutors alleged that remote-access software was installed on compromised systems and used to maintain access after entry. [Department of Justice]justice.govDepartment of Justice IndictmentDepartment of JusticeIndictmentJanuary 24, 2012 — **. GARY MCKINNON. Defendant. } Criminal No. } 18 U.S.C. § 1030. } Fraud and… Remot…Published: January 24, 2012

The broader lesson is that legacy systems become dangerous when they drift outside normal ownership. A machine that nobody actively manages, inventories or retires can quietly preserve vulnerabilities that modern security programmes have already addressed elsewhere. In many organisations, the easiest route into a network is not the newest technology but the oldest machine that everyone forgot.

Forgotten Machines Become the Easy Way In

Legacy systems are often described as risky because they run old software. That is true, but age alone is rarely the main problem. The greater risk is organisational neglect.

A modern security programme may enforce multi-factor authentication, endpoint monitoring and regular patching across most of an environment. Yet a small number of ageing servers, remote-access gateways or specialist workstations may sit outside those controls because they support an old application, belong to a retired project, or were inherited during a merger. Over time, responsibility becomes unclear and visibility disappears.

This pattern helps explain why attackers frequently search for neglected assets rather than attacking the best-defended systems directly. Forgotten machines often have:

Government guidance on legacy IT repeatedly emphasises that unsupported and obsolete systems create security risks that increase over time because new vulnerabilities continue to be discovered while patches stop arriving. National Cyber Security Centre+2GOV.UK Assets [ncsc.gov.uk]ncsc.gov.ukobsolete productsNational Cyber Security CentreObsolete products29 Jun 2021 — If you decide to accept the risk of using obsolete systems and software, the…

Why Legacy Systems Lose Ownership and Visibility

The problem is usually organisational, not technical

Many vulnerable legacy systems survive because they remain useful enough to keep running but not important enough to receive investment.

An application may support a niche operational process. A server may host historical data. A workstation may control specialist equipment that nobody wants to disrupt. Because replacement appears expensive or risky, organisations postpone retirement year after year.

Eventually, several warning signs emerge:

This ownership gap creates a blind spot. Modern asset-management programmes are designed to know what is connected to the network. Yet organisations continue to discover forgotten devices during audits, penetration tests and incident investigations. Recent guidance from the UK government and NCSC specifically treats legacy technology as a governance challenge requiring structured risk assessment rather than merely a technical maintenance issue. [GOV.UK]GOV.UKguidance on the legacy it risk assessment framework13 Mar 2025 — This guidance outlines the Legacy IT Risk Assessment Framework, a qualitative risk-based approach designed to evaluate the…

Invisible systems often escape modern controls

Security improvements are frequently deployed prospectively rather than retrospectively.

An organisation may implement stronger authentication, endpoint detection or network segmentation for current systems while older platforms remain exempt because they cannot support the new controls. The result is a mixed environment where modern assets receive extensive protection and legacy assets receive very little.

This imbalance creates attractive targets. Attackers naturally look for the weakest point in the environment rather than confronting its strongest defences.

How Old Remote Access and Credentials Persist

The McKinnon case remains relevant partly because remote-access software and administrative credentials played a central role in allegations surrounding the intrusions. Prosecutors described the use of remote administration tools that allowed extensive control over compromised machines. [Department of Justice]justice.govDepartment of Justice IndictmentDepartment of JusticeIndictmentJanuary 24, 2012 — **. GARY MCKINNON. Defendant. } Criminal No. } 18 U.S.C. § 1030. } Fraud and… Remot…Published: January 24, 2012

The underlying lesson remains familiar today.

Legacy systems often preserve historical access methods that would never be approved in a modern deployment. Examples include:

Even when an organisation upgrades most of its infrastructure, these older access paths may remain active because disabling them could interrupt business operations.

Security researchers and practitioners have repeatedly observed that unsupported or obsolete software tends to accumulate publicly known weaknesses. As vendors stop issuing updates, exploitation becomes easier and more accessible to lower-skilled attackers. [IASME - Home]iasme.co.ukHomeNavigating the pitfalls of legacy softwareThe software is classed as 'legacy' or 'end of life' as it is no longer supported and there…

The result is a paradox: some of the oldest systems become the most predictable targets because attackers know exactly which weaknesses are likely to remain present.

Why Unsupported Systems Stay Attractive to Attackers

A forgotten machine offers more than a technical vulnerability. It often provides operational advantages.

Attackers value systems that generate little attention. If a server is rarely used and seldom monitored, unusual activity may go unnoticed for longer. If logging is limited or unavailable, investigations become more difficult.

Unsupported systems also create a compounding problem. NCSC guidance notes that obsolete products eventually reach a point where new vulnerabilities continue to emerge but vendor support no longer exists to address them. [National Cyber Security Centre]ncsc.gov.ukobsolete productsNational Cyber Security CentreObsolete products29 Jun 2021 — If you decide to accept the risk of using obsolete systems and software, the…

This means risk can increase even when the system itself never changes.

Recent government and infrastructure-security guidance continues to emphasise that unsupported internet-facing devices pose disproportionate risks because organisations lose the ability to rely on vendor fixes for newly discovered weaknesses. [CISA+2Federal News Network]cisa.govreducing attack surface end support edge devicesReducing the Attack Surface for End-of-Support Edge…5 Feb 2026 — CISA: Guidance and Strategies to Protect… guidance for executi…

From an attacker’s perspective, a forgotten legacy machine can therefore offer three advantages at once:

1. Known vulnerabilities. [cisa.gov]cisa.govUpdate Business SoftwareOutdated software is one of the most significant security risks to your business. Criminals target known vulnerab…
2. Weak oversight.
3. Trusted network positioning inside the organisation.

That combination often makes legacy assets softer targets than modern internet-facing systems.

Practical Ways to Find and Retire Exposed Machines

The most effective defence is not merely patching old systems but identifying them before attackers do.

Build an accurate inventory

Organisations cannot secure assets they do not know exist.

Asset inventories should include:

• Servers.
• Network appliances.
• Remote-access systems. [justice.gov]justice.govDepartment of Justice IndictmentDepartment of JusticeIndictmentJanuary 24, 2012 — **. GARY MCKINNON. Defendant. } Criminal No. } 18 U.S.C. § 1030. } Fraud and… Remot…Published: January 24, 2012
• Specialist operational technology.
• Test and development environments.
• Cloud-hosted legacy workloads.

External attack-surface management tools are increasingly used to discover forgotten internet-facing assets and unsupported software. The NCSC highlights this capability as an important way to identify exposed systems and outdated services. [National Cyber Security Centre]ncsc.gov.ukexternal attack surface management buyers guideNational Cyber Security CentreExternal attack surface management (EASM) buyer's guide18 Sept 2025 — Software security: identifying unpatc…

Assign clear ownership

Every system should have a named owner responsible for:

• Security decisions.
• Risk acceptance.
• Upgrade planning.
• Retirement schedules.

When ownership becomes ambiguous, security usually deteriorates.

Restrict legacy access paths

Where retirement is not immediately possible:

• Remove unnecessary remote-access services.
• Isolate legacy systems through network segmentation.
• Enforce modern authentication controls where feasible.
• Monitor privileged accounts closely.
• Log and review administrative activity.

NCSC and CISA guidance consistently recommend reducing exposure and attack surface when obsolete systems must remain operational. [National Cyber Security Centre+2CISA]ncsc.gov.ukobsolete productsNational Cyber Security CentreObsolete products29 Jun 2021 — If you decide to accept the risk of using obsolete systems and software, the…

Plan for retirement rather than permanent exception

Temporary exceptions often become permanent. A stronger approach is to treat every legacy system as a migration project with a defined end state.

This shifts the conversation from “How do we live with this old system?” to “How do we remove it safely?”

The Lasting Lesson from Legacy Risk

The McKinnon case is often remembered because of its connection to UFO claims and military networks, but one of its most practical security lessons is much less dramatic. High-value organisations can still be vulnerable when forgotten systems preserve yesterday’s weaknesses. Allegations in the case repeatedly pointed toward weaknesses involving remote administration and poorly protected systems rather than exotic technical breakthroughs. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon, of London, England, was indicted in Alexandri…

Modern security programmes frequently focus on new threats, new tools and new technologies. Legacy risk is different. It is the accumulation of old decisions that nobody revisits. Forgotten machines become soft targets not because they are ancient, but because they quietly fall outside the attention, ownership and visibility that effective security requires.

Amazon book picks

Further Reading

Books and field guides related to Forgotten Machines Become the Easy Way In. Use these as the next step if you want deeper reading beyond the article.

Book

Security Engineering

By Ross Anderson

Covers system ownership, legacy infrastructure risk, access control and organisational security failures.

See on Amazon

Book

Cybersecurity

By Peter W. Singer, Allan Friedman

Explains practical cyber risks, governance failures and attack pathways.

See on Amazon

Book

The Practice of Network Security Monitoring

By Richard Bejtlich

Helps identify unmanaged systems and detect suspicious activity on forgotten assets.

See on Amazon

Book

The Cuckoo's Egg

By Clifford Stoll

Shows how overlooked systems and weak oversight can enable intrusions.

See on Amazon

Browse more on Amazon: Security Engineering Cybersecurity The Practice of Network Security Monitoring

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Shop location

Using USA USA USAUKCanadaAustraliaIreland

Example eBay listing

I Want to Believe Vintage UFO Print, Photographic Alien Wall Art Decor, Space

Search eBay.co.uk: ufo wall art

Browse similar on eBay.co.uk

Example eBay listing

UFO ABDUCTION OVER THE OCEAN -FRAMED WALL ART PAPER PRINT POSTER

Search eBay.co.uk: ufo wall art

Browse similar on eBay.co.uk

Example eBay listing

COOL FLYING UFO IN FOREST LANDSCAPE FRAMED WALL ART PICTURE POSTER PRINT

Search eBay.co.uk: ufo wall art

Browse similar on eBay.co.uk

Example eBay listing

UFO ABDUCTION OVER THE OCEAN -DEEP FRAMED CANVAS WALL ART PRINT

Search eBay.co.uk: ufo wall art

Browse similar on eBay.co.uk

Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Endnotes

1. Source: justice.gov
   Title: Department of Justice [Indictment]({{ ‘indictment/’ | relative_url }})
   Link: https://www.justice.gov/archive/usao/nj/Press/files/pdffiles/Older/edva_mckinnon_indictment.pdf
   Source snippet

   Department of JusticeIndictmentJanuary 24, 2012 — **. GARY MCKINNON. Defendant. } Criminal No. } 18 U.S.C. § 1030. } Fraud and... Remot...

   Published: January 24, 2012

2. Source: ncsc.gov.uk
   Title: obsolete products
   Link: https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/obsolete-products
   Source snippet

   National Cyber Security CentreObsolete products29 Jun 2021 — If you decide to accept the risk of using obsolete systems and software, the...

3. Source: assets.publishing.service.gov.uk
   Link: https://assets.publishing.service.gov.uk/media/5a758829e5274a545822c3e7/Obsolete_platforms_guidance.pdf
   Source snippet

   platforms guidanceThis guidance is intended to help organisations that are unable to fully migrate away from obsolete or unsupported plat...

4. Source: GOV.UK
   Title: guidance on the legacy it risk assessment framework
   Link: https://www.gov.uk/government/publications/guidance-on-the-legacy-it-risk-assessment-framework/guidance-on-the-legacy-it-risk-assessment-framework
   Source snippet

   13 Mar 2025 — This guidance outlines the Legacy IT Risk Assessment Framework, a qualitative risk-based approach designed to evaluate the...

5. Source: ncsc.gov.uk
   Title: external attack surface management buyers guide
   Link: https://www.ncsc.gov.uk/guidance/external-attack-surface-management-buyers-guide
   Source snippet

   National Cyber Security CentreExternal attack surface management (EASM) buyer's guide18 Sept 2025 — Software security: identifying unpatc...

6. Source: iasme.co.uk
   Link: https://iasme.co.uk/articles/navigating-the-pitfalls-of-legacy-software/
   Source snippet

   HomeNavigating the pitfalls of legacy softwareThe software is classed as 'legacy' or 'end of life' as it is no longer supported and there...

7. Source: ncsc.gov.uk
   Title: keeping devices and software up to date
   Link: https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/keeping-devices-and-software-up-to-date
   Source snippet

   National Cyber Security CentreKeeping devices and software up to date29 Jun 2021 — This guidance will help you understand the security ri...

8. Source: cisa.gov
   Title: reducing attack surface end support edge devices
   Link: https://www.cisa.gov/resources-tools/resources/reducing-attack-surface-end-support-edge-devices
   Source snippet

   Reducing the Attack Surface for End-of-Support Edge...5 Feb 2026 — CISA: Guidance and Strategies to Protect... guidance for executi...

9. Source: cisa.gov
   Link: https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/update-business-software
   Source snippet

   Update Business SoftwareOutdated software is one of the most significant security risks to your business. Criminals target known vulnerab...

10. Source: justice.gov
    Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htm
    Source snippet

    Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...Gary McKinnon, of London, England, was indicted in Alexandri...

11. Source: ncsc.gov.uk
    Link: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025/chapter-02-resilience-at-scale/defending-the-uks-critical-national-infrastructure
    Source snippet

    Defending the UK's critical national infrastructure14 Oct 2025 — Over the next year, the NCSC will be focused on helping organisations to...

12. Source: ncsc.gov.uk
    Title: principle 1
    Link: https://www.ncsc.gov.uk/collection/operational-technology/secure-connectivity/principle-1
    Source snippet

    Balance the risk and opportunities14 Jan 2026 — The NCSC's Device security guidance on managing obsolete products. ASD guidance on Managi...

13. Source: ncsc.gov.uk
    Title: getting your organisation ready for windows 11 upgrade before autumn 2025
    Link: https://www.ncsc.gov.uk/blog-post/getting-your-organisation-ready-for-windows-11-upgrade-before-autumn-2025
    Source snippet

    Upgrade before Windows 10 end of life October 202514 Jul 2025 — We strongly advise any organisation that isn't already on Windows 11 to p...

14. Source: ncsc.gov.uk
    Link: https://www.ncsc.gov.uk/collection/operational-technology/secure-connectivity/principle-6
    Source snippet

    Principle 6: Limit the impact of compromise14 Jan 2026 — Contamination can occur through infected devices, vulnerable software updates, o...

15. Source: justice.gov
    Title: British National Charged with Hacking Into N.J
    Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict2.htm
    Source snippet

    seven-count Virginia Indictment charges McKinnon for intrusions into 92 computer systems belonging to the U.S. Army, Navy, A...

16. Source: GOV.UK
    Title: latest on gary mckinnon case
    Link: https://www.gov.uk/government/news/latest-on-gary-mckinnon-case
    Source snippet

    on Gary McKinnon case4 Nov 2010 — Mr McKinnon is accused by US authorities of the unauthorised access of 97 government computers concerne...

17. Source: time.com
    Title: hack attack 2
    Link: https://time.com/archive/6943962/hack-attack-2/
    Source snippet

    Hack Attack30 Jul 2008 — The July 30 decision by Britain's Court of Appeal to allow the extradition of alleged cyber-hacker Gary McKinnon...

18. Source: cyber.gov.au
    Title: managing the risks of legacy it practitioner guidance
    Link: https://www.cyber.gov.au/business-government/protecting-devices-systems/legacy-technology-management/managing-the-risks-of-legacy-it-practitioner-guidance
    Source snippet

    Managing the risks of legacy IT: Practitioner guidance11 Apr 2024 — This publication provides guidance for practitioners on managing the...

19. Source: federalnewsnetwork.com
    Title: cisa tells agencies to identify upgrade unsupported edge devices
    Link: https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-tells-agencies-to-identify-upgrade-unsupported-edge-devices/
    Source snippet

    Federal News NetworkCISA tells agencies to identify, upgrade unsupported edge...5 Feb 2026 — “When a product is no longer supported by i...

20. Source: schneier.com
    Title: Gary [Mc Kinnon]({{ ‘mc-kinnon/’ | relative_url }})
    Link: https://www.schneier.com/blog/archives/2008/08/garuy_mckinnon.html
    Source snippet

    Gary McKinnon - Schneier on SecurityAugust 4, 2008 — The interview I saw with McKinnon implied that he just hit systems with the default...

    Published: August 4, 2008

21. Source: Wikipedia
    Title: Gary Mc Kinnon
    Link: https://en.wikipedia.org/wiki/Gary_McKinnon
    Source snippet

    Gary McKinnonGary McKinnon (born February 1966) is a Scottish systems administrator and hacker who was accused by a US prosecutor in 2...

    Published: February 1966

22. Source: abitus.co.jp
    Link: https://www.abitus.co.jp/cisa/about/feature/
    Source snippet

    アビタス公認情報システム監査人を意味するCISA®とは、"Certified Information Systems Auditor"の略称です。情報システム監査、セキュリティ、コントロールに関する指導的な役割を...Read more...

23. Source: dsptoolkit.nhs.uk
    Link: https://www.dsptoolkit.nhs.uk/News/Attachment/765

24. Source: cyber.gc.ca
    Title: Obsolete products
    Link: https://www.cyber.gc.ca/en/guidance/obsolete-products-itsap00095
    Source snippet

    ITSAP.00.0957 Mar 2023 — This document offers some guidance on how to minimize risks as your organization transitions away from obsolete...

Additional References

1. Source: linkedin.com
   Link: https://www.linkedin.com/posts/antonio-deliseo_asd-guidance-managing-legacy-it-risks-legacy-activity-7385802164381814785-y1AV
   Source snippet

   ASD Guidance: Managing Legacy IT Risks and Technical...Security risks compound. Unsupported systems can't be patched, making them vulner...

2. Source: bittnet.ro
   Link: https://www.bittnet.ro/en/noutati/cisa-impune-eliminarea-dispozitivelor-edge-neacceptate-din-retele/?srsltid=AfmBOoqgrau9wYQhfOPYE5m6vXX36oPDN5S9SIhZN8PsDRRL87yoE5SU
   Source snippet

   CISA requires removal of unsupported edge devices from...CISA mandates the removal of unsupported edge devices from networks. This decis...

3. Source: isaca.org
   Link: https://www.isaca.org/credentialing/cisa
   Source snippet

   CISA® Certification | Certified Information Systems Auditor®ISACA'S CISA certification exams are computer-based and administered at autho...

4. Source: nri-secure.co.jp
   Link: https://www.nri-secure.co.jp/service/learning/cisa_training

5. Source: linuxsecurity.com
   Link: https://linuxsecurity.com/news/hackscracks/dot-mil-hackers-download-mistake
   Source snippet

   Gary McKinnon Indicted For Hacking U.S. Military SystemsIn a dramatic case, Gary McKinnon faced charges for breaching defense systems, wi...

6. Source: reddit.com
   Link: https://www.reddit.com/r/hacking/comments/1etqs6b/how_gary_mckinnon_did_what_he_did/

7. Source: cybereason.com
   Link: https://www.cybereason.com/blog/malicious-life-podcast-the-u.s-vs.-gary-mckinnon
   Source snippet

   Malicious Life Podcast: The U.S. vs. Gary McKinnonGary McKinnon, a British hacker with Asperger's, broke into NASA and US Army networks t...

8. Source: vlex.co.uk
   Link: https://vlex.co.uk/vid/mckinnon-v-united-states-793612009
   Source snippet

   McKinnon v United States of AmericaMcKinnon v United States of America; Judge, Lord Justice Maurice Kay; Judgment Date, 03 April 2007...

   Published: April 2007

9. Source: techradar.com
   Link: https://www.techradar.com/pro/security/cisa-tells-federal-agencies-to-replace-at-risk-end-of-life-edge-devices
   Source snippet

   Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive urging federal agencies to remove and replace edge devices...

10. Source: controleng.com
    Link: https://www.controleng.com/cisa-directive-on-unsupported-edge-devices-raises-stakes-for-ot-and-industrial-cybersecurity/
    Source snippet

    CISA directive on unsupported edge devices raises stakes...12 Feb 2026 — A new CISA directive says federal agencies must remove end-of-s...