[ad]
It’s that time of the year, our annual christmas present – the Sans Top 20 Vulnerabilities for 2007.
The SANS Top 2007 list is not “cumulative.” We include only critical vulnerabilities from the past year or so. If you have not patched your systems for long time, it would be wise to patch the vulnerabilities listed in the Top 20 2006 list as well as those in the prior lists. At the end of this document, you will find a short FAQ (list of frequently asked questions) that answers questions you may have about the project and the way the list is created.
This year’s list of top risks diverges from lists in past years that focused on very specific technical vulnerabilities that could be fixed by tweaking a configuration or applying one patch. Because attackers are moving so quickly today, such point-fixes are outdated almost immediately. For that reason, this year’s list of top risks focuses more on the areas that attackers are targeting and where organizations need to enhance their security processes to ensure consistent application of technical fixes.
Read the full list here:
Pantagruel says
As usual a superb listing of the top 20 vuln’s your average jane/joe runs into or becomes a victim of.
It’s no suprise that , on the clientside of things, Webbrowsers are number 1. Both IE and FF keep on attracting a big crowd.
SANS does a good job at providing in depth info and advice.
You have got to love the people at SANS
net2004eng says
Indeed a great list, although there seems to be some contention regarding this! I recently read the article, SANS Top 20 still useful” by Bill Brenner at: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1284655,00.html”
In my personal opinion, I haven’t seen signs of any of the attack vectors changing, and still find the list very useful, and relevant. If any others have read this article, I’d be interested in your opinions!
Pantagruel says
@ net2004eng, thanks for the link to the article.
The article has a point that a mere listing will not raise security awarness. Still this listing will make the concept of ‘a threat’ more accessible to middle management and the more advanced user.
The only real way to enhance security and awareness for possible future vuln’s is through training your personal (all layers involved), this is most likely the best patch for human ignorance or stupidity.
The fact that most training will be done post factum (after a breach of security) is also mentioned, this is a common mechanism. We recently changed our locks/etc after a flawed break-in attempt, it all boils down to risk assessment (we got lucky, our neighbors didn’t), this in it’s turn depends on knowledge. Concerning computer security this is no different, we always end up plugging holes shortly before or shorty after suffering a breach. Being paranoid about your servers security pays off even though this will mean providing restricted services.
net2004eng says
Man….had a few paragraphs typed, and lost it…oh well…
Nice reply!
I agree the listing will not provide any security aweareness in itself, but if security practioners like you and I can use the list to educate upper management, or as a tool to help in making people more aware, it has served its purpose. I also agree with the statement that most training does in fact take place “post factum”. It is unfortunate that this is what it takes on many occasions in order to get people to open their eyes to a problem. Also, when there is this lack of knowledge on management’s part, ‘security’ will be looked upon as just being another buzz word – and then you have a hard time getting buy in – until a problem takes place.
I have a friend who manages a small network, for a rather small local business. We were talking about web security, so it led me to ask him about the companies web servers. He told me, “Oh, we don’t worry about the web servers, they are managed offsite by another company!” After talking more about it, I was shocked to find out that they have never done any vulnerabilty testing or fuzzing on the boxes after they were installed – but put total trust in the hosting site for securing the servers, but without any validation that they performed their due diligence in securing the servers in a proper manner. I’m not aware if they receive some type of update regarding patch levels and such, but to have total confidence in something like this made me think about why much of our current web security landscape is the way it is. Unless the web site is defaced, and they found out about it, or some type of malicious attack of that nature had taken place, they wouldn’t even necessarily be aware of it. The whole perspective from the IT team is that since they don’t manage it, they don’t have to worry about it. I am sure if the security manager knew of this, the view on it would be different, but this is one of those instances where ignorance is bliss (or maybe not) and until something happens, nothing will change – and there are a number of different excuses someone can come up with as to why the landscape in this company is the way it is.
Got off topic there a bit, but all of this makes you think about what other problems ‘lack of security awareness’ can lead to!
Pantagruel says
@ net2004eng
Sounds familiar, some people think that, along with outsourcing software development, they are outsourcing their needs for a tight security. They expect their outsourcing partner/solution provider to take their safety needs into account without really mentioning their safety needs or restricitons leaving them oblivious. This will usually lead to problems and the one party pointing to the other (and vice versa). The problem is you will still be the one suffering the breach and not the actually writer/manufacturer of the software/package.
Their are several courses regarding safe programming (in neary all flavours available) but outsourcing seems to be a synonym for cutting costs and these secure programming courses don’t come cheap.
In the end a qualified and well maintained individual will earn you his money or atleast can safe you from embarrassing data exposure.
net2004eng says
@Pantagruel
Yeah, in some of the places I have done consulting for I’ve seen some of the offshore/outsourced companies have full access to the network via frame or mpls links that drop internally into the core. No authentication, no firewalls, nothing… In effect they are an extension of the company and this potentially can lead to a ton of problems -for one it is nothing I would wan to have to deal with on a daily basis, unless I was looking to develop a cornary very soon!
There seems to be a much bigger push recently regarding secure programming – as there should be. I know when I was taking various programming classes in college, I was never introduced to ‘secure’ methods to prevent buffer overflows and such. Nothing that stood out from what I can remember for sure! Your right though, the cost of these classes is high, and from what I can tell, many programmers are again, not knowledgable that these types of classes exist – like SANS Secure Programming courses and such – unless they have always been in security in some way or another.
Goodpeople says
@Pantagruel and @net2004eng
This is becoming a very depressing read. There will always be people who don’t realize that companies that offer co-location services, only offer co-location services. And we all know that outsourcing leads to bigger problems.
On the bright side however: people are beginning to realize that security isn’t something for the security professionals alone. Where people used to point fingers at the system or network administrators, they are (slowly) adopting the idea that security is evrybody’s business.
Also in education. In the past security was thought of as a problem that should be addressed at a higher level of education and lots of topics were conveniently forgotten. But now more and more schools that teach at an intermediate level are beginning to realize that scurity is their responsibility too.
The school I work for is now beginning to teach application developers about buffer overflows etc. Network administrators about monitoring and mapping and dos attacks, system administrators about patch procedures and even secretaries about social engineering techniques.
The beginning is here. We still have a long way to go, but very journey… [bla. bla, bla]
Nobody_Holme says
My high school mentioned security in the general GCSE IT course… i remember that… If schools in rural wales can think about it, anyone can.
(also, ARGH! i’m getting at least 50% of these rejected by the checker.. and i’m really not THAT bad at maths. thank god for the clipboard)
goodpeople says
@nobody_holme,
I actually write my comments in notepad these days and post by cuttin’ and pasting.
Nobody_Holme says
I’m too lazy to open notepad for short things like this though… and ctrl A ctrl C is easier.
net2004eng says
@Nobody_Holme
I am quite amazed at the programs that are available for high school students now-a-days. I remember BASIC being available in classes I had attended, but nothing networking or security related for sure. Cisco has their Network Academy available for high school students, which is a great thing for the young kids and Cisco!
goodpeople says
I don’t teach at a High school. What comes between high school and university?
net2004eng says
@goodpeople
I suppose that would be secondary school?
Not sure who you were directing that at – my comment was intended for Nobody_Holme
goodpeople says
@net2004eng, I wasn’t asking anyone in particular.
Either way, the school I work for is also has Cisco Acadamy status. I think the Cisco materials are a bit too narrow minded tho…
net2004eng says
@goodpeople
While I’m not too familiar with the content of Cisco Academy courseware, I do know of people working at Cisco due to their completion of the program…not to say these are some of the best engineers I have worked with at Cisco either, but it does allow for people to get their foot in the door, and Cisco can hire these people for much cheaper than a full fledged Cisco Network Specialist for sure…
Sir Henry says
What I find to be interesting is that root kits were all the talk a while back, but they seem to have since been overlooked in the media surrounding overall security. Perhaps I am just not keeping my ear to the rail enough, though. I guess I have always looked at root kits as particularly nefarious and unsettling in nature and wonder why there is not more talk of them. Any ideas?
goodpeople says
@net2004eng
Of course it is smart for Cisco to have an Acadamy program. The more network admins know about cisco stuff, the more cisco will sell. Same goes for Microsoft. If people can get MCP certificates in school, they are more likely to continue on the Microsoft path.
The school I work for is Cisco Acadamy, Microsoft Acadamy and EcCouncil Acadamy. I just recently stopped our efforts to become a LPI Acadamy.
It is also very interesting for schools to have vendor certification programs for students. The more certificates the students can get while at school, the more students the school will get.
Sir Henry says
@goodpeople:
What level is this school? Post-university? University?
Just wondering as I do not recall many cert courses while I was in uni, but I am sure that has changed since.
Is the school specifically based on attaining certs in a specific arena of tech or is it an added bonus to the teaching? If the former, how long do these courses take to complete?
goodpeople says
Sir Henry, it’s between highschool and university. In the Netherlands we call it MBO (Middelbaar Beroeps Onderwijs).
Sir Henry says
I think in norway the equivalent is folkehoygskole. I went to one there, but not for tech. It is a really cool idea to have a school like that, though. I did go to a tech school of sorts after uni, but it was rather quick and they tried to cram so much in that you ultimately felt as though you were only scratching the surface in a lot of technologies. Then again, when it comes to tech, it is easy to want to learn it all, thus scratching the surface of many things.
With this school, do the students have opportunities for placement when they are done? Anything facilitated through the school?
eM3rC says
Great post. Like some of the posters above me said, a lot of the basic things the average user can be infected by.
Happy new year everyone!