Are your customers opting to roll the Windows Server 2003 security dice?
For companies that don't make the move to migrate off Windows Server 2003 before Microsoft ends support in two months, there will be significant security implications, possibly putting businesses at a big risk for a breach, security experts said.
"We expect attacks will peak around July 14 when support officially ends, as [Server 2003] will then be one of the least secure systems in existence," said Piero De Paoli, senior director of global enterprise security product marketing at Symantec.
As of mid-July, Microsoft will no longer issue patches and security updates for its Server 2003 operating system. For perspective, Microsoft issued 61 Server 2003 security bulletins last year and 25 so far this year.
When patch and update releases end this summer, "the potential for vulnerabilities duplicates by many times," said Chris Strand, senior director of compliance programs for security vendor Bit9 + Carbon Black.
Despite the potential for threats, 30 percent of enterprises plan to continue running Server 2003 environments past the 14 July deadline, which translates to around 2.7 million unprotected servers, according to a March survey of 500 medium and large enterprise IT leaders in the US and UK conducted by Bit9 + Carbon Black. The same survey found that 14 percent of enterprises did not yet have any upgrade plan in place.
A system remaining on the Server 2003 operating system is essentially an open door for attackers looking for the path of least resistance into an organisation's infrastructure, security solution providers said.
More significantly, having a "weak link" such as a server running an out-of-date operating system can be an open door for attackers, potentially compromising the entire organisation.
Without Server 2003 patches and updates for known vulnerabilities, companies will be at an immediate risk of compromise and mega breaches, such as the ones that hit Target, Home Depot and other major companies in the past two years, experts agreed.
"Unprotected systems make organizations more susceptible to data breaches, loss of critical, confidential data, and business disruption such as an inability to run mission critical transactions or deliver customer services – all of which damage the brand and the customer's trust. On top of that, organisations incur the costs associated with system remediation, investigation, customer care and potential lawsuits following the attack," Symantec's DePaoli said.
Sticking with systems that are running on an unsupported operating system could be particularly dangerous for companies governed by regulations such as HIPPA or PCI, which could open themselves up to compliance violations and hefty fines.
However, with all the risks, why are businesses holding back as the end-of-support date looms?
One reason, the security experts said, is lack of education. According to the Bit9 + Carbon Black survey, 57 percent of enterprises didn't know when the end of life deadline is. Second, many organisations have a lack of visibility into their systems and don't know if they have any systems running Server 2003, let alone if those systems are tied to critical functions.
Next: Out of sight, out of mind