Security Threats Imminent For Customers Refusing To Migrate Off Windows Server 2003
Are your customers opting to roll the Windows Server 2003 security dice?
For companies that don't make the move to migrate off Windows Server 2003 before Microsoft ends support in two months, there will be significant security implications, possibly putting businesses at a big risk for a breach, security experts said.
"We expect attacks will peak around July 14 when support officially ends, as [Server 2003] will then be one of the least secure systems in existence," said Piero De Paoli, senior director of global enterprise security product marketing at Symantec.
As of mid-July, Microsoft will no longer issue patches and security updates for its Server 2003 operating system. For perspective, Microsoft issued 61 Server 2003 security bulletins last year and 25 so far this year.
[Related: 10 Keys To Upgrading Windows Server 2003]
When patch and update releases end this summer, "the potential for vulnerabilities duplicates by many times," said Chris Strand, senior director of compliance programs for security vendor Bit9 + Carbon Black.
Despite the potential for threats, 30 percent of enterprises plan to continue running Server 2003 environments past the July 14 deadline, which translates to around 2.7 million unprotected servers, according to a March survey of 500 medium and large enterprise IT leaders in the U.S. and U.K conducted by Bit9 + Carbon Black. The same survey found that 14 percent of enterprises did not yet have any upgrade plan in place.
A system remaining on the Server 2003 operating system is essentially an open door for attackers looking for the path of least resistance into an organization's infrastructure, security solution providers said.
"As soon as they find you've got these old machines in these organizations, that's going to be the easiest target," said Steve Andrews, consulting manager and senior solutions architect at St. Louis, Mo.-based solution provider Perficient.
More significantly, having a "weak link" such as a server running an out-of-date operating system can be an open door for attackers, potentially compromising the entire organization, said Samad Ali, vice president of HP Solutions at New York City-based Logicalis U.S.
"Your ecosystem is only as strong as your weakest link," Ali said. "Security is not a joke, as we've seen in the most recent headlines," Ali continued. "We just want to make sure you don't have a weak link in the environment."
Without Server 2003 patches and updates for known vulnerabilities, companies will be at an immediate risk of compromise and mega breaches, such as the ones that hit Target, Home Depot and other major companies in the past two years, experts agreed.
"Unprotected systems make organizations more susceptible to data breaches, loss of critical, confidential data, and business disruption such as an inability to run mission critical transactions or deliver customer services – all of which damage the brand and the customer's trust. On top of that, organizations incur the costs associated with system remediation, investigation, customer care and potential lawsuits following the attack," Symantec's DePaoli said.
Sticking with systems that are running on an unsupported operating system could be particularly dangerous for companies governed by regulations such as HIPPA or PCI, which could open themselves up to compliance violations and hefty fines.
However, with all the risks, why are businesses holding back as the end-of-support date looms? One reason, the security experts said, is lack of education. According to the Bit9 + Carbon Black survey, 57 percent of enterprises didn't know when the end of life deadline is. Second, many organizations have a lack of visibility into their systems and don't know if they have any systems running Server 2003, let alone if those systems are tied to critical functions.
"It's out of sight, out of mind," Strand said. "Many organizations don't realize how exposed they are, nor do they have the visibility into their organization to understand where the vulnerabilities are."
In addition, legacy applications tailored to run on Server 2003 pose significant challenges to companies looking to migrate, solution providers said.
For customers forced to leave some environments on Server 2003, application control solutions and monitoring can provide some security measures around end-of-life systems. However, that is only a temporary solution, said SHI International Senior Solution Architect Garth Whitacre, noting that businesses ultimately will be forced to move to another platform.
"I think it definitely is going to be a temporary solution because the baseline is going to start to communicate risk," Whitacre said. "Adding additional controls is a temporary fix until you figure out a plan."
While the Server 2003 end-of-life date poses a significant security risk, solution provider and vendor experts agreed that it also opens up a large opportunity for customers to upgrade their approach to security for the long-term.
"The [Server 2003 end of life date] is really an excuse to take a moment to sit back and say, 'I'm going to change this anyways, why don't I make it something better?'" Logicalis's Ali said.
Updating that approach includes both embracing new technologies as well as a new attitude toward patching and lifecycle management, Bit9 + Carbon Black's Strand said. Just as with the end-of-life of Microsoft Windows XP last year, customers continue to exhibit "knee jerk reactions" to emergency upgrades, instead of planning ahead with a comprehensive life cycle management strategy. Strand said he hopes the costs and headaches associated with migrating off of Server 2003 at the last minute will help change that.
"That mentality has to change in terms of wrapping these systems up. That's a paradigm that definitely needs to change. We are getting there -- the situations we've been under with end-of-life systems so widely deployed have helped raise awareness," Strand said, adding, "For the security industry, this is great. It's fueled interest and it's fueled action in the marketplace for people to wake up a little bit and look at the situation they're in and pay attention to the industry."
PUBLISHED MAY 11, 2015