SANS Updates Its Annual Top 20 List

In the past, the SANS Institute published an annual list, Top 10 Vulnerabilities, that outlined the most serious vulnerabilities facing system administrators on a variety of platforms. The list was later expanded to the top 20 vulnerabilities. This year, SANS has changed the name of its list to the SANS Top-20 Internet Security Attack Targets.

The list is divided into four categories--OSs, cross-platform applications, network devices, and security policy and personnel--along with a special section that discusses zero-day attacks. The OS category is almost entirely devoted to Windows. Areas that need special attention on Windows platforms include Internet Explorer (IE), Windows libraries (DLLs), services, overall system configuration, and Office.

The cross-platform applications category is broad and includes common targets of attack such as Web applications, database software, P2P and IM applications, media players, DNS servers, backup software, and various types of management servers.

As history shows, new targets of attack typically include emerging technologies, which are usually less mature and thus prone to include exploitable bugs. VoIP technology is a case in point. SANS points out that both VoIP servers and phones have become major targets, with no fewer than four vulnerabilities reported in the hugely popular Asterisk VoIP server platform, two vulnerabilities in Cisco Call Manager, and at least seven vulnerabilities in VoIP phones.

Two long-standing information security problems have been the existence of excessive user rights and the use of unauthorized devices. Both these problems could be related to insufficient or nonexistent security policies. Such problems could give rise to situations in which users inadvertently open security holes into a network or introduce malware. The problem could also lead to the exposure or theft of sensitive company information.

Phishing is of course a major problem and makes end users a major point of attack. Phishing attacks, like other forms of social engineering, are designed to glean sensitive information from unsuspecting users. Attacks can be very sophisticated and highly tailored and targeted.

Last, but certainly not least, are the ever-present zero-day exploits that have plagued security administrators since computers came into mainstream use. Although historically, most zero-day attacks have targeted Windows platforms, other OSs aren't immune. The SANS list points to Windows and Apple OS X as the current major points of attack. However, zero-day exploits have also turned into attacks against various Linux platforms, Wi-Fi devices and their drivers, and other commonly used technologies. In fact, the Kernel Fun blog is currently hosting a "month of kernel bugs" that affect various platforms, including BSD and Linux. In some cases, no patch is available for the bugs posted, which of course puts millions of users and many businesses at serious risk. How fun is that?

http://kernelfun.blogspot.com/index.html

The SANS Top-20 Internet Security Attack Targets report is a good resource for security administrators to use as a means to gain insight into what others see as the most serious attack vectors. The report is free at the SANS Web site in HTML or PDF format, and administrators would do well to carefully review the report to make sure that they've got all their bases covered.

http://www.sans.org/top20