SQL Server 2008/R2 Extended Support Has Ended – Are You Really at Risk?
On July 9, 2019, support for SQL Server 2008 and 2008 R2 ended. That means that Microsoft will no longer release security updates for any version of SQL Server 2008. Let me repeat that, that means THE END OF REGULAR SECURITY UPDATES as of July 9th. Do you know if your organization is free from threat?
No problem, your IT team, security team, and development team are always on top of support deadlines and security, right?
I have found in my discussions with IT, security and development teams that the answer is more like – “kind of” or “maybe.. I became concerned for the security of some organizations since having conversations with IT teams over the past six months and finding out that many have not upgraded or migrated to a supported version of SQL Server. I asked our Security and Compliance Director, Ed Higgins, to address some of my concerns through a short interview. I had three main questions:
What are the new risks now that extended support for SQL Server 2008/R2 has ended?
Higgins explained that the end of regular security updates is the beginning of bad actors finding ways to exploit unsupported software. There is no telling what vulnerability they may find and whether it is in the SQL Server itself or the custom software that has access to the SQL Server. He also explained that attacking code might identify weaknesses that exist in older pieces of software, therefore, putting your company at risk of threat.
Are on-prem databases also at risk and why?
They are. Ensuring an application is not open to external resources is, unfortunately, not a safety net. Bad actors look for ways into an organization through methods like Phishing. Once they find their way into a network, they can compromise an on-prem database and other data on your network, explained Higgins.
When I asked Higgins this next question, I was thinking of SaaS solutions like third-party marketing systems that are managed and maintained outside of an organization and often contain corporate contacts, but Higgins reminded me that there is also a large number of HR and Payroll services that contain even more confidential information.
Can SaaS solutions be a risk to organizations?
Higgins would assume third-party companies are vigilant, but low-cost solutions may mean low-level support as well. Many employees use systems like Gmail and Dropbox to circumvent what they see as bottlenecks in their environment. These workarounds can put an organization at risk. Lastly, if your third-party vendor has not upgraded to the latest version of SQL, you may unknowingly be at risk too. “Shadow IT” may be riskier at times because IT has no knowledge that this is happening unless you have the tools to discover them. We, at Catapult, implement those tools to help identify where “shadow IT” is happening within the organization.
Listen our discussion for more details and explanation.