As you may have noticed this week, if you own a Windows 2003 Server it is still working even after Microsoft announced that they are no longer supporting the aging operating system. Everything is probably still running smoothly: All of your antivirus scans are finding nothing, the server feels as fast as the day you bought it, and you feel safe behind your Unified Threat Management device.
But, do not be fooled or let your guard down. This is only the calm before the storm. A security breach is something that no one ever sees coming. Business owners are almost always caught off guard; often when they are asleep at night in their warm bed. Because, it has been said that business never stops. But neither do attacks!
If you are currently thinking that a data breach is due to one person wearing a hoodie in a dimly lit room behind a computer somewhere else in the world is staying up late at night finding ways to pry into your network and extract your data, this is not always the case. Data breaches are a business now and businesses have to be efficient. Attackers automate as much of the attack as possible with software.
The majority of attacks, even the ones you hear about in the news, involve someone within the company compromising their own network. They click a link in an email, download a free piece of software from an untrusted website, visit a compromised website with scripting enabled, and yes, open an attachment from an unknown sender. Those are just some of the ways a network is opened from the inside. All of those scenarios involve some form of software infecting a local computer on the network.
At this point you are probably thinking, “Why does this matter? You’re not talking about a server. You’re talking about a workstation. My data lives on my server now.”
All it takes is for one computer to become compromised to allow an attacker to gain a foothold into your network. That foothold allows them to scan the network for any vulnerabilities. In their network scan they will find your Windows 2003 Server on the network, have prior knowledge of its unpatched vulnerabilities, and easily attack it. They then have all of your data and own your network.
As time goes on Server 2003 installations will become a much larger target. Since attackers know that Microsoft will not patch any new vulnerabilities they will be actively looking for these systems, hoping their victims have one stashed in their back closet. Since many versions of Windows share the same code-base, as vulnerabilities are patched in newer versions of Windows attackers will know older, unpatched versions of Windows will still be vulnerable and seek them out.
Outside of being more vulnerable, there are other good reasons to upgrade to a newer version of Windows Server. There is a good chance the hardware that the server has been running on has never been upgraded and that means it is behind the curve as well. It is probably struggling to keep up with faster, more updated workstations you have purchased since. While upgrading Windows Server it would be a good time to upgrade to new hardware.
Most companies replace their workstations and servers every four to five years. This is because aging systems often have high, hidden costs associated with keeping them beyond that point. Companies such as ourselves spend much more time supporting a five year old server, compared to one much newer. Plus, it takes longer for your staff to complete a task relying on that equipment!
We also need to discuss compliance. Certain industries have technological standards that are meant to keep an industry and its consumers protected. Just as an example PCI DSS Requirement 6.2 says, “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.” Now that Microsoft will no longer release security patches (or any other form of patches) for Server 2003, it will cause any regulated business with a Server 2003 system on their network to drop out of compliance which could result in fines and penalties. We spend a lot of time educating our customers on compliance, which regulations apply to them, and how to become compliant. We are your eyes and ears in this respect, so use us!
We can help keep you compliant and up-to-date. We have many options, from cloud-based solutions to new server installation. Migrating to a new system does not have to “break the bank”! We actively research new technologies so we can tailor solutions to your specific industry and determine which are most efficient and economical for your situation.
You can reach us anytime for more information at firstname.lastname@example.org. But, don’t wait too long!