Risk of running unsupported server version 1

[goombawaho]

I was wondering how to explain to a customer the real world risk of running Server 2012 Essentials now that extended support has expired. It's behind a firewall (just an Asus home router!!) and it's not exposed to the internet on any port. So, I was wondering how to explain the risk if some people say it's like soaking yourself with gasoline and lighting a match and others say no big deal. The real truth is somewhere in between. I don't want to be an alarmist and I don't want to sugarcoat it either.

 

[Rick998]

IMO it's the customer's decision whether to run it and your decision whether to support it in view of any issues you believe it's at risk of.

Hope this helps...

 

[spamjim]

While it may not be exposed on the internet, its local connection to other computers could invite exploit. How trustworthy are those other systems? Can ransomware spread from those other systems?

 

[goombawaho]

All other PCs are Windows 10 but have no third party anti-virus installed. The previous owner of the company didn't believe in anti-virus and probably wouldn't worry about the server being out of support. The new owner MAY care but he's trying to get everything in order and has limited time and budget. I'm just trying to frame it to him in a realistic and non-alarmist way.

I could support him doing nothing and then if he gets hacked I suppose he could sue me. Thus the email to him about the situation that needs to be sent.

 

[mintjulep]

A simple form of formal risk assessment looks as probability and consequence.

It's hard to quantify the absolute probability of an attack. Easier to discuss the relative probabilities of a supported vs unsupported OS.

You can get the owner to list the consequences. What happens to the business if the data on this server disappears for a day, or a week, or forever?

If you lead him through a risk assessment then you'll have done your job and have a record of it.

 

[goombawaho]

Well, the data is not going to be lost. We have cloud backup. It would be an inconvenience and scrambling around to reload a server if it got infected or corrupted. Plus it could spread to other internal machines causing a generalized cluster.

I would say that on a daily or weekly basis, normal hardware failure would be more likely than malware or hacking for a server that was put into service in 2016 even though we have RAID. Power supplies only last so long, etc.

Thanks for the responses. I guess there is no formula to compute or communicate risk.

 

[pmonett]

We have cloud backup"

Personally, I would prefer having another backup somewhere physical I control.
Someone else's server is not a reliable guarantee.

I've got nothing to hide, and I demand that you justify what right you have to ask.

 

[goombawaho]

PERSONALLY, I do have multiple physical backups under my control as well as cloud backup. I would doubt that any other physical location is safer than a professional cloud backup solution. It is certainly preferable to keeping a month old backup on an external drive stored in the owner's shed. With versioning, you get protection from crypto-malware. Have you ever heard of an online backup solution being hacked? I have not.

I suppose it's like putting money in a bank. It COULD disappear, but I'm not as worried as if I put my money under my mattress. This is a side discussion though.

I have sent the customer notification of the situation and put it on his plate. I don't know how to give him a formal risk analysis, so that will just have to do.