The SANS top 20 flaws

By on

This year's vulnerability report from security organisation the SANS Institute finds a marked shift in focus for hacker activity. In the past, servers were their main targets, but the latest figures show them turning their attention to back-up systems and even networking devices.

To deal with the changing threats, SANS has added cross-platform applications and networking products to its existing Windows and UNIX categories. Another change to the list is that it now comprises only vulnerabilities found in the past 18 months.

"If you have not patched your systems for a while, it is highly recommended that you first patch the vulnerabilities listed in the Top-20 2004 list," advises the new report.

Compiled from sources such as the UK's NISCC, US-CERT and Canada's Cyber Incident Response Centre, the list includes vulnerabilities found in backup software as well as those recently found in networking products, such as routers. Most of the flaws allow a hacker to either launch a DoS attack on a system or gain remote access to it. It even includes flaws found in AV, firewalls and VPNs.

Experts disagree whether the shift to other applications and hardware indicates a new strategy by hackers.

"This is not really a shift of tactics or focus by hackers, but something new to be exploited and tried," said Mark Hanvey, chief security officer at Cable & Wireless.

"The advances Microsoft has made in security in no way reduce the threat from the hacking community."

Alan Paller, director of research as SANS, said the threat had shifted, but users have remained unaware. He called for the vendors to take more responsibility for the quality of their products.

He said the vendors had a policy of "blame the user", but added this was changing as more big US government organisations use their procurement clout to ensure systems are built securely.

The US Air Force, for example, shaved around $100 million off its expenditure with Microsoft by insisting that the company provided a secure standard configuration.

Others are stipulating that software vendors guarantee they are free of the SANS Top 20 vulnerabilities as part of their purchase agreement.

"We are shifting the responsibility to the vendors in order to produce well-behaved applications," said Paller.

www.sans.org/top20

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?