About 2 weeks ago I had an in-depth conversation with a client after performing a low-intensity penetration test. We offer a low-cost penetration test option that we call a “Validate” level engagement. Basically, a Validate level test involves an automated vulnerability scan followed by a quick manual testing effort to validate that the vulnerabilities exist and make recommendations on how to better secure their network. At this level of testing, every effort is made to ensure there are no negative effects from testing, nor will we write custom exploit code, etc… (Fiat vs. Ferrari).
Several Windows Server 2003 hosts were discovered while scanning his network, but only allowed connections to the web server. The problem is that Windows Server 2003 reached its end of life on July 14th, 2015. Running an obsolete (End of Life) operating system is considered a critical vulnerability as newly discovered vulnerabilities are not announced, nor are patches created leaving the host vulnerable. We marked it as such, made a recommendation to upgrade or decommission the server and moved on.
When we reviewed the reports with the client, he was argumentative regarding our statements surrounding the problem with running an obsolete operating system. In the client’s mind, if it’s a critical risk, anyone should be able to exploit the server in no time with ease. We explained to the client again, that in general, once an operating system reaches its End of Life, no announcements are made regarding any vulnerabilities discovered. Just because we don’t have known, clean, and working exploit code for a given situation doesn’t mean that nobody does. (A “clean exploit” is one that has been proven not to contain additional malicious add-ons that could infect the system it runs on.)
I went on to roughly explain the world exploit market and how vulnerabilities and exploits are announced, traded and sold on the market. In brief, there are two classes of security researchers; let’s call them good guys and bad guys. The good guys want to make the world a safer place. When they find a vulnerability, they tell the vendor and work with them to ensure they understand how he got in. The bad guys sell that information for money. For example, Brian Krebs (Krebs on Security) highlighted this fact in an article from mid-May where an exploit that works on all versions of Windows from Windows 2000 up to Windows 10 is for sale for $90,000. (http://krebsonsecurity.com/?p=34936)
The client started to understand that a critical vulnerability doesn’t equate to instant exploitation and that End of Life systems leave a permanent opening for an attacker to leverage. It really hit home when I made an analogy with his home. I asked him to imagine that when his house was built, it used strong door locks from the ACME lock company. However, last year, ACME Lock Company closed their doors, meaning if he needed parts or to change his locks, they couldn’t help nor would they let him know about any problems they knew about. The client told me at this point, “But they’re still good working locks. Why should I change them?” I replied by asking two of my own questions: “Who has the master key and how many are there?” and “Is the master key for sale?”. He answered, “I wouldn’t know”. I then asked, “Does Windows Server 2003 have a key for sale?”. He finally understood the potential ramifications of “I don’t know”.
From that point forward we had a great conversation regarding securing his network and next steps. The client came away with a deeper understanding of why obsolete operating systems are worse than he originally thought and no news is not always good news.