Two-thirds of UK organizations currently running Windows Server 2003 will still be doing so after the end-of-life deadline on 14 July, with around a quarter of them exposing themselves to the risk of a serious breach, according to new research from Bit9 + Carbon Black.
The managed security service provider claimed that, of the organizations it surveyed which plan to continue running the popular server software, 23% are not planning to put any controls in place to mitigate the risk of attack.
Security tools like application whitelisting can reduce risk by ensuring that only authorized apps run on the network.
Further, of those who said they are planning to upgrade, 38% admitted they’re set to miss the July deadline.
Some 10% of those firms currently running Windows Server 2003 said they have no plans to migrate off the product at all.
Sticking with a product after support has been withdrawn without putting in place appropriate controls will expose organizations to the risk of zero-day exploits, as Microsoft will no longer be producing security fixes.
It could not only lead to a catastrophic breach – with all the attendant legal and remediation costs and damage to brand and shareholder value – but also the possibility of financial penalties for non-compliance with industry regulations, and even a revocation of the right to process card transactions, the firm said.
Ben Johnson, chief security strategist at Bit9 + Carbon Black, told Infosecurity that a combination of understaffing and a reluctance to migrate because servers are mission critical can lead to hesitation and delays to the upgrade path.
“Most companies’ appetite for risk is low, so when an easy solution isn’t immediately clear for how to proceed with technology end-of-life issues, the project typically does not become urgent until the deadline is looming and the situation catches fire,” he added.
“Even though we have gone through these end-of-life situations in the past, most recently with Windows XP, too many organizations may think they won’t be hit by an attack targeted at the EOL operating system. That said, once a company experiences that type of attack and the damage it can cause, they probably will never let themselves fall into that situation again.”
Hackers are likely to wait until support has ended before launching a renewed wave of attacks at organizations, he argued.
“That’s when exploits will become public and will be found in tools such as Metasploit, so anyone on the internet will be able to download and leverage these free tools to obtain unauthorized access to WS2K3 systems,” Johnson continued.
“We’ve seen it before with outdated Windows service-pack levels, where if an organization doesn’t have the latest service pack, they are vulnerable to many publicly available exploits.”
Bit9 + Carbon Black urged organizations planning to continue running Windows Server 2003 after support has ended to consider controls like network isolation, application whitelisting, and continuous server monitoring, which could help minimize risk.