Vulnerabilities / Threats

3/25/2015
10:30 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Windows Server 2003 End-of-Life Survey Finds Nearly One in Three Companies Will Miss Deadline, Leaving Nearly 3 Million Servers Vulnerable to Breach

Poll of 500 U.S. and U.K. enterprises finds more than half do not know deadline date

WALTHAM, Mass.—March 25, 2015—Bit9® + Carbon Black®, the leader in endpoint threat prevention, detection and response, today announced the results of its “Windows Server 2003 (WS2K3) End-of-Life Survey,” which found that many companies have yet to migrate away from the server platform and remain woefully unprepared for the end of support from Microsoft.

An estimated 2.7 million servers—potentially containing hundreds of millions of files—will be unprotected after July 14, 2015, the end-of-life deadline, according to the survey Bit9 + Carbon Black conducted in February 2015.. Key findings from the survey—of IT leaders at 500 medium and large enterprises in the U.S. and U.K. with at least 500 employees--include:

-          Nearly one in three enterprises (30 percent) plan to continue to run WS2K3 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected

-          More than half of enterprises (57 percent) do not know when the end of life deadline is

-          14 percent of enterprises do not yet have an upgrade plan for WS2K3

Click here to download the survey report

Servers, including domain controllers and Web servers, are where most organizations’ critical information resides. So if organizations continue to run Windows Server 2003 without implementing appropriate compensating controls—such as application whitelisting—they will put customer records, trade secrets, and other highly valuable data at risk. Cyber criminals, hacktivists and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines and loss of customer trust.

“The Windows Server 2003 end-of-life deadline must not be taken lightly,” said Chris Strand, PCIP, senior director of compliance and governance for Bit9 + Carbon Black. “But based on the results of this survey, it appears that too many organizations are doing just that. With only about 100 days left until the end-of-life deadline, organizations yet to upgrade must immediately aim to get their WS2K3 systems into a compliant state to eliminate financial, and potential legal, penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance.”

With the critical role servers play at any enterprise, WS2K3 end of life presents an even greater risk than last year’s Windows XP end of life. Continued operation of unsecured WS2K3 systems can leave organizations exposed to “zero-day forever scenarios”—where new zero-day vulnerabilities are discovered and exploited by attackers and no publically available patch will ever be provided.

The results indicate that many IT managers are completely unprepared to meet the deadline, leaving their organizations scrambling to find compensating controls or risk being vulnerable to cyber attacks. The risks of running an operating system that can’t be patched are vast, including:

·         Breach and data compromise: since malware authors can get access to highly confidential information such as critical research and development plans, core business databases, consumer credit card/financial data or patient information.

·         Financial penalties: organizations can be fined for failure to pass compliance audits by being in a noncompliant state.

·         Loss of privileges: an organization can lose the right to process major credit card transactions and access to business-critical data.

·         Damage to corporate brand: often the most devastating consequence and can be difficult to remediate. According to the Nation Cyber Security Alliance, 60 percent of small and medium businesses that suffer a breach go out of business within six months.

 

What Organizations Can Do
For enterprises looking to address Windows Server 2003 end of life without upgrading, compensating controls should be considered to keep their systems secure and compliant after Microsoft support ends. Effective compensating controls for organizations without an upgrade plan include: network isolation, application whitelisting, and continuous server monitoring. The report explains each type of control.

Originally launched in 2003, Windows Server 2003 and its 2005 update, Windows Server 2003 R2, are relied upon by thousands of organizations for critical production workloads. There are approximately 9 million WS2K3 systems still in use.

About Bit9 + Carbon Black
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Former Student Admits to USB Killer Attack
Dark Reading Staff 4/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11332
PUBLISHED: 2019-04-18
MKCMS 5.0 allows remote attackers to take over arbitrary user accounts by posting a username and e-mail address to ucenter/repass.php, which triggers e-mail transmission with the password, as demonstrated by 123456.
CVE-2019-9161
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.x...
CVE-2019-11015
PUBLISHED: 2019-04-18
A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access...
CVE-2019-11331
PUBLISHED: 2019-04-18
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
CVE-2019-9160
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string).