• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

SANS Top 20 Vulnerabilities Published for 2007

December 7, 2007

Views: 4,239

[ad]

It’s that time of the year, our annual christmas present – the Sans Top 20 Vulnerabilities for 2007.

The SANS Top 2007 list is not “cumulative.” We include only critical vulnerabilities from the past year or so. If you have not patched your systems for long time, it would be wise to patch the vulnerabilities listed in the Top 20 2006 list as well as those in the prior lists. At the end of this document, you will find a short FAQ (list of frequently asked questions) that answers questions you may have about the project and the way the list is created.

This year’s list of top risks diverges from lists in past years that focused on very specific technical vulnerabilities that could be fixed by tweaking a configuration or applying one patch. Because attackers are moving so quickly today, such point-fixes are outdated almost immediately. For that reason, this year’s list of top risks focuses more on the areas that attackers are targeting and where organizations need to enhance their security processes to ensure consistent application of technical fixes.

Read the full list here:

Sans Top 20

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Exploits/Vulnerabilities, Hacking News Tagged With: exploits, sans, vulnerabilities



Reader Interactions

Comments

  1. Pantagruel says

    December 7, 2007 at 1:58 pm

    As usual a superb listing of the top 20 vuln’s your average jane/joe runs into or becomes a victim of.

    It’s no suprise that , on the clientside of things, Webbrowsers are number 1. Both IE and FF keep on attracting a big crowd.
    SANS does a good job at providing in depth info and advice.

    You have got to love the people at SANS

  2. net2004eng says

    December 7, 2007 at 3:04 pm

    Indeed a great list, although there seems to be some contention regarding this! I recently read the article, SANS Top 20 still useful” by Bill Brenner at: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1284655,00.html”

    In my personal opinion, I haven’t seen signs of any of the attack vectors changing, and still find the list very useful, and relevant. If any others have read this article, I’d be interested in your opinions!

  3. Pantagruel says

    December 7, 2007 at 5:20 pm

    @ net2004eng, thanks for the link to the article.

    The article has a point that a mere listing will not raise security awarness. Still this listing will make the concept of ‘a threat’ more accessible to middle management and the more advanced user.

    The only real way to enhance security and awareness for possible future vuln’s is through training your personal (all layers involved), this is most likely the best patch for human ignorance or stupidity.
    The fact that most training will be done post factum (after a breach of security) is also mentioned, this is a common mechanism. We recently changed our locks/etc after a flawed break-in attempt, it all boils down to risk assessment (we got lucky, our neighbors didn’t), this in it’s turn depends on knowledge. Concerning computer security this is no different, we always end up plugging holes shortly before or shorty after suffering a breach. Being paranoid about your servers security pays off even though this will mean providing restricted services.

  4. net2004eng says

    December 7, 2007 at 7:33 pm

    Man….had a few paragraphs typed, and lost it…oh well…

    Nice reply!

    I agree the listing will not provide any security aweareness in itself, but if security practioners like you and I can use the list to educate upper management, or as a tool to help in making people more aware, it has served its purpose. I also agree with the statement that most training does in fact take place “post factum”. It is unfortunate that this is what it takes on many occasions in order to get people to open their eyes to a problem. Also, when there is this lack of knowledge on management’s part, ‘security’ will be looked upon as just being another buzz word – and then you have a hard time getting buy in – until a problem takes place.

    I have a friend who manages a small network, for a rather small local business. We were talking about web security, so it led me to ask him about the companies web servers. He told me, “Oh, we don’t worry about the web servers, they are managed offsite by another company!” After talking more about it, I was shocked to find out that they have never done any vulnerabilty testing or fuzzing on the boxes after they were installed – but put total trust in the hosting site for securing the servers, but without any validation that they performed their due diligence in securing the servers in a proper manner. I’m not aware if they receive some type of update regarding patch levels and such, but to have total confidence in something like this made me think about why much of our current web security landscape is the way it is. Unless the web site is defaced, and they found out about it, or some type of malicious attack of that nature had taken place, they wouldn’t even necessarily be aware of it. The whole perspective from the IT team is that since they don’t manage it, they don’t have to worry about it. I am sure if the security manager knew of this, the view on it would be different, but this is one of those instances where ignorance is bliss (or maybe not) and until something happens, nothing will change – and there are a number of different excuses someone can come up with as to why the landscape in this company is the way it is.

    Got off topic there a bit, but all of this makes you think about what other problems ‘lack of security awareness’ can lead to!

  5. Pantagruel says

    December 7, 2007 at 9:21 pm

    @ net2004eng

    Sounds familiar, some people think that, along with outsourcing software development, they are outsourcing their needs for a tight security. They expect their outsourcing partner/solution provider to take their safety needs into account without really mentioning their safety needs or restricitons leaving them oblivious. This will usually lead to problems and the one party pointing to the other (and vice versa). The problem is you will still be the one suffering the breach and not the actually writer/manufacturer of the software/package.
    Their are several courses regarding safe programming (in neary all flavours available) but outsourcing seems to be a synonym for cutting costs and these secure programming courses don’t come cheap.
    In the end a qualified and well maintained individual will earn you his money or atleast can safe you from embarrassing data exposure.

  6. net2004eng says

    December 8, 2007 at 2:35 am

    @Pantagruel

    Yeah, in some of the places I have done consulting for I’ve seen some of the offshore/outsourced companies have full access to the network via frame or mpls links that drop internally into the core. No authentication, no firewalls, nothing… In effect they are an extension of the company and this potentially can lead to a ton of problems -for one it is nothing I would wan to have to deal with on a daily basis, unless I was looking to develop a cornary very soon!

    There seems to be a much bigger push recently regarding secure programming – as there should be. I know when I was taking various programming classes in college, I was never introduced to ‘secure’ methods to prevent buffer overflows and such. Nothing that stood out from what I can remember for sure! Your right though, the cost of these classes is high, and from what I can tell, many programmers are again, not knowledgable that these types of classes exist – like SANS Secure Programming courses and such – unless they have always been in security in some way or another.

  7. Goodpeople says

    December 9, 2007 at 11:27 am

    @Pantagruel and @net2004eng

    This is becoming a very depressing read. There will always be people who don’t realize that companies that offer co-location services, only offer co-location services. And we all know that outsourcing leads to bigger problems.

    On the bright side however: people are beginning to realize that security isn’t something for the security professionals alone. Where people used to point fingers at the system or network administrators, they are (slowly) adopting the idea that security is evrybody’s business.

    Also in education. In the past security was thought of as a problem that should be addressed at a higher level of education and lots of topics were conveniently forgotten. But now more and more schools that teach at an intermediate level are beginning to realize that scurity is their responsibility too.
    The school I work for is now beginning to teach application developers about buffer overflows etc. Network administrators about monitoring and mapping and dos attacks, system administrators about patch procedures and even secretaries about social engineering techniques.

    The beginning is here. We still have a long way to go, but very journey… [bla. bla, bla]

  8. Nobody_Holme says

    December 10, 2007 at 1:56 am

    My high school mentioned security in the general GCSE IT course… i remember that… If schools in rural wales can think about it, anyone can.

    (also, ARGH! i’m getting at least 50% of these rejected by the checker.. and i’m really not THAT bad at maths. thank god for the clipboard)

  9. goodpeople says

    December 10, 2007 at 2:32 pm

    @nobody_holme,

    I actually write my comments in notepad these days and post by cuttin’ and pasting.

  10. Nobody_Holme says

    December 10, 2007 at 4:38 pm

    I’m too lazy to open notepad for short things like this though… and ctrl A ctrl C is easier.

  11. net2004eng says

    December 10, 2007 at 5:00 pm

    @Nobody_Holme

    I am quite amazed at the programs that are available for high school students now-a-days. I remember BASIC being available in classes I had attended, but nothing networking or security related for sure. Cisco has their Network Academy available for high school students, which is a great thing for the young kids and Cisco!

  12. goodpeople says

    December 11, 2007 at 11:25 pm

    I don’t teach at a High school. What comes between high school and university?

  13. net2004eng says

    December 11, 2007 at 11:43 pm

    @goodpeople

    I suppose that would be secondary school?

    Not sure who you were directing that at – my comment was intended for Nobody_Holme

  14. goodpeople says

    December 12, 2007 at 10:39 am

    @net2004eng, I wasn’t asking anyone in particular.

    Either way, the school I work for is also has Cisco Acadamy status. I think the Cisco materials are a bit too narrow minded tho…

  15. net2004eng says

    December 12, 2007 at 5:24 pm

    @goodpeople

    While I’m not too familiar with the content of Cisco Academy courseware, I do know of people working at Cisco due to their completion of the program…not to say these are some of the best engineers I have worked with at Cisco either, but it does allow for people to get their foot in the door, and Cisco can hire these people for much cheaper than a full fledged Cisco Network Specialist for sure…

  16. Sir Henry says

    December 14, 2007 at 5:21 pm

    What I find to be interesting is that root kits were all the talk a while back, but they seem to have since been overlooked in the media surrounding overall security. Perhaps I am just not keeping my ear to the rail enough, though. I guess I have always looked at root kits as particularly nefarious and unsettling in nature and wonder why there is not more talk of them. Any ideas?

  17. goodpeople says

    December 17, 2007 at 10:57 am

    @net2004eng

    Of course it is smart for Cisco to have an Acadamy program. The more network admins know about cisco stuff, the more cisco will sell. Same goes for Microsoft. If people can get MCP certificates in school, they are more likely to continue on the Microsoft path.

    The school I work for is Cisco Acadamy, Microsoft Acadamy and EcCouncil Acadamy. I just recently stopped our efforts to become a LPI Acadamy.

    It is also very interesting for schools to have vendor certification programs for students. The more certificates the students can get while at school, the more students the school will get.

  18. Sir Henry says

    December 17, 2007 at 11:06 am

    @goodpeople:

    What level is this school? Post-university? University?

    Just wondering as I do not recall many cert courses while I was in uni, but I am sure that has changed since.

    Is the school specifically based on attaining certs in a specific arena of tech or is it an added bonus to the teaching? If the former, how long do these courses take to complete?

  19. goodpeople says

    December 17, 2007 at 11:20 am

    Sir Henry, it’s between highschool and university. In the Netherlands we call it MBO (Middelbaar Beroeps Onderwijs).

  20. Sir Henry says

    December 17, 2007 at 11:25 am

    I think in norway the equivalent is folkehoygskole. I went to one there, but not for tech. It is a really cool idea to have a school like that, though. I did go to a tech school of sorts after uni, but it was rather quick and they tried to cram so much in that you ultimately felt as though you were only scratching the surface in a lot of technologies. Then again, when it comes to tech, it is easy to want to learn it all, thus scratching the surface of many things.

    With this school, do the students have opportunities for placement when they are done? Anything facilitated through the school?

  21. eM3rC says

    January 6, 2008 at 10:09 pm

    Great post. Like some of the posters above me said, a lot of the basic things the average user can be infected by.

    Happy new year everyone!

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 297

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 336

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 531

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 517

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 707

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,957

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,292,449)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,075)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,616)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,676)
  • Password List Download Best Word List – Most Common Passwords (933,467)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,137)
  • Hack Tools/Exploits (673,289)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,145)

Search

Recent Posts

  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy