The SANS top 20 flaws

By

This year's vulnerability report from security organisation the SANS Institute finds a marked shift in focus for hacker activity. In the past, servers were their main targets, but the latest figures show them turning their attention to back-up systems and even networking devices.


To deal with the changing threats, SANS has added cross-platform applications and networking products to its existing Windows and UNIX categories. Another change to the list is that it now comprises only vulnerabilities found in the past 18 months.

"If you have not patched your systems for a while, it is highly recommended that you first patch the vulnerabilities listed in the Top-20 2004 list," advises the new report.

Compiled from sources such as the UK's NISCC, US-CERT and Canada's Cyber Incident Response Centre, the list includes vulnerabilities found in backup software as well as those recently found in networking products, such as routers. Most of the flaws allow a hacker to either launch a DoS attack on a system or gain remote access to it. It even includes flaws found in AV, firewalls and VPNs.

Experts disagree whether the shift to other applications and hardware indicates a new strategy by hackers.

"This is not really a shift of tactics or focus by hackers, but something new to be exploited and tried," said Mark Hanvey, chief security officer at Cable & Wireless.

"The advances Microsoft has made in security in no way reduce the threat from the hacking community."

Alan Paller, director of research as SANS, said the threat had shifted, but users have remained unaware. He called for the vendors to take more responsibility for the quality of their products.

He said the vendors had a policy of "blame the user", but added this was changing as more big US government organisations use their procurement clout to ensure systems are built securely.

The US Air Force, for example, shaved around $100 million off its expenditure with Microsoft by insisting that the company provided a secure standard configuration.

Others are stipulating that software vendors guarantee they are free of the SANS Top 20 vulnerabilities as part of their purchase agreement.

"We are shifting the responsibility to the vendors in order to produce well-behaved applications," said Paller.

www.sans.org/top20

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
flawssanssecuritythetop

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?