Originally published on June 2, 2000 and brought to you today as a time capsule.
In an effort to help thwart attacks by the Internet’s equivalent of petty thieves, the Systems Administration, Networking and Security Institute (SANS) has published a “Top 10 List” of the most popular ways hackers gain illegal access to network servers and computer systems.
The SANS list accounts for “probably 70 percent of the attacks occurring on the Internet,” said the institute’s director of research, Alan Paller. “As soon as the first large organization has fixed the first 10, we will release the next 10.”
On the Rise
Hackers cost U.S. corporations US$266 million last year, double the losses suffered during the previous three years. Cybercrimes being investigated by the U.S. Federal Bureau of Investigation (FBI) have more than doubled in the past year. The number of reported incidents in the private sector has soared from 3,700 in 1998 to 8,300 in 1999, according to a recent report by the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, Pennsylvania.
Ninety percent of those who responded to a CERT survey, mostly large corporations and government agencies, indicated some form of security breach last year and 70 percent reported serious breaches, such as financial fraud, denial-of-service attacks and data theft.
In response to security concerns, President Clinton convened an Internet security summit earlier this year after several incidents adversely affected some of the Internet’s most popular sites.
The SANS report found that most hackers gain access through a limited number of methods. “A few software vulnerabilities account for the majority of successful attacks because hackers are opportunistic — taking the easiest and most convenient route,” the report said. “They count on organizations not fixing the problem and they often attack indiscriminately by scanning the Internet for vulnerable systems.”
While most of the SANS cyber-loopholes are already known to system administrators, the list shows them which security concerns should be made a priority.
According to the report, the biggest security problems were found with the Berkeley Internet Name Domain service, a system used to tie domain names to a numerical Internet addresses. The popular resource was found to have vulnerabilities in about half its installations.
The “common gateway interface,” known as CGI scripts, ranked second on the list of security concerns. CGI scripts are designed to add interactivity to a Web site. Third on the list is the use of “remote procedure calls,” a technique that enables one computer to carry out programs on another. Hackers used this flaw to tap into hundreds of U.S. military servers.
Other problems making the dubious list involve security flaws in e-mail servers, Microsoft’s Internet Explorer Web software and the frequent use of easy to break passwords.
The institute developed its report after consulting with almost 50 Internet security experts from a variety of government and private agencies. SANS officials admit, however, that it is far from a complete list. One recent survey by a British firm revealed that as many as 60 new computer vulnerabilities are found every month.
“The list could ultimately prove to be an important economic factor for e-commerce,” said Paller. “The insurance industry may use this list as a foundation for whether the company can be insured.”