It’s commonplace for the vulnerability scans I run at client sites to turn up servers running unsupported software like Windows Server 2003, SQL Server 2005 or Cisco’s IOS 15. Our scans flag this as a critical issue.
Often the client doesn’t know the software is out there and is glad to find out. But sometimes they ask, “Well, did you break into the box?” If the system has the latest patches in place and there are no known exploits creating a clear-and-present danger, they don’t see it as a problem.
As a former sysadmin, I get where they’re coming from. Maybe it’s an embedded system, or there are dependencies around legacy applications. Maybe an upgrade would be too disruptive to business operations, or overall too costly. Or just too much work for busy staff…
But as an InfoSec professional, I feel a sense of frustration anytime identified risks remain unassessed and unmitigated. Even if a system isn’t open to attack via known threats today, a new threat could arise at any time. Hackers armed with exploits are quick to use automated scanning tools to search the web for just such “sitting ducks.”
Another concern is that an unsupported system, while not currently presenting a major vulnerability in its own right, can be the open back door through which cybercriminals launch attacks on other systems at their leisure. Compliance issues in regulated industries is a further significant potential risk.
At a minimum, you need to assess the risk associated with each unsupported system on your network and decide whether that risk is acceptable. If some old server off in the corner that’s not connected to the web is running some legacy software that you can’t justify upgrading, then maybe that’s what we term an “acceptable risk.” But if the box is out on the web and runs code that accesses sensitive data, that’s probably another story.
What can you do to reduce the risk associated with unsupported software? Start by isolating the system in every possible way; e.g., put it on a separate network that is heavily firewalled. Or better yet, “air gap” it so it’s not network-connected at all. Tightly control access permissions to mitigate insider threats.
Another option, though it doesn’t come cheap, is “virtual patching” or what Microsoft calls “custom support agreements.” These services attempt to mitigate vulnerabilities when no vendor patches are available.
If you’re not sure whether unsupported systems lurk in your environment, the first step is to discover them with a network vulnerability assessment. From there, you need to assess what’s worth upgrading and what’s not. For expert help with both these issues, contact Pivot Point Security.
For more information:
- Risks associated with end-of-life software
- Top 5 security risks with Windows Server 2003
- Symantec’s guide to options for protecting Windows Server 2003 systems after end-of-life