Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/25/2015
10:30 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Windows Server 2003 End-of-Life Survey Finds Nearly One in Three Companies Will Miss Deadline, Leaving Nearly 3 Million Servers Vulnerable to Breach

Poll of 500 U.S. and U.K. enterprises finds more than half do not know deadline date

WALTHAM, Mass.—March 25, 2015—Bit9® + Carbon Black®, the leader in endpoint threat prevention, detection and response, today announced the results of its “Windows Server 2003 (WS2K3) End-of-Life Survey,” which found that many companies have yet to migrate away from the server platform and remain woefully unprepared for the end of support from Microsoft.

An estimated 2.7 million servers—potentially containing hundreds of millions of files—will be unprotected after July 14, 2015, the end-of-life deadline, according to the survey Bit9 + Carbon Black conducted in February 2015.. Key findings from the survey—of IT leaders at 500 medium and large enterprises in the U.S. and U.K. with at least 500 employees--include:

-          Nearly one in three enterprises (30 percent) plan to continue to run WS2K3 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected

-          More than half of enterprises (57 percent) do not know when the end of life deadline is

-          14 percent of enterprises do not yet have an upgrade plan for WS2K3

Click here to download the survey report

Servers, including domain controllers and Web servers, are where most organizations’ critical information resides. So if organizations continue to run Windows Server 2003 without implementing appropriate compensating controls—such as application whitelisting—they will put customer records, trade secrets, and other highly valuable data at risk. Cyber criminals, hacktivists and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines and loss of customer trust.

“The Windows Server 2003 end-of-life deadline must not be taken lightly,” said Chris Strand, PCIP, senior director of compliance and governance for Bit9 + Carbon Black. “But based on the results of this survey, it appears that too many organizations are doing just that. With only about 100 days left until the end-of-life deadline, organizations yet to upgrade must immediately aim to get their WS2K3 systems into a compliant state to eliminate financial, and potential legal, penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance.”

With the critical role servers play at any enterprise, WS2K3 end of life presents an even greater risk than last year’s Windows XP end of life. Continued operation of unsecured WS2K3 systems can leave organizations exposed to “zero-day forever scenarios”—where new zero-day vulnerabilities are discovered and exploited by attackers and no publically available patch will ever be provided.

The results indicate that many IT managers are completely unprepared to meet the deadline, leaving their organizations scrambling to find compensating controls or risk being vulnerable to cyber attacks. The risks of running an operating system that can’t be patched are vast, including:

·         Breach and data compromise: since malware authors can get access to highly confidential information such as critical research and development plans, core business databases, consumer credit card/financial data or patient information.

·         Financial penalties: organizations can be fined for failure to pass compliance audits by being in a noncompliant state.

·         Loss of privileges: an organization can lose the right to process major credit card transactions and access to business-critical data.

·         Damage to corporate brand: often the most devastating consequence and can be difficult to remediate. According to the Nation Cyber Security Alliance, 60 percent of small and medium businesses that suffer a breach go out of business within six months.

 

What Organizations Can Do
For enterprises looking to address Windows Server 2003 end of life without upgrading, compensating controls should be considered to keep their systems secure and compliant after Microsoft support ends. Effective compensating controls for organizations without an upgrade plan include: network isolation, application whitelisting, and continuous server monitoring. The report explains each type of control.

Originally launched in 2003, Windows Server 2003 and its 2005 update, Windows Server 2003 R2, are relied upon by thousands of organizations for critical production workloads. There are approximately 9 million WS2K3 systems still in use.

About Bit9 + Carbon Black
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7753
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
CVE-2020-27182
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
CVE-2020-27183
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
CVE-2020-8956
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
CVE-2020-15352
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.