In an effort to send a clear message through the noise of constant software security warnings, the SysAdmin Audit Network Security (SANS) research group has released its list of the year’s top 20 vulnerabilities.
The SANS institute — which divided vulnerabilities into two lists of 10 for Windows and 10 for Unix/Linux — put Microsoft’s IIS and SQL servers, Windows authentication, Internet Explorer and Windows Remote Access Services at the top of the Windows list.
For Unix and Linux, the list was headed by risks in BIND domain name system software, remote procedure calls, Apache Web server software, Unix authentication accounts with nonexistent or weak passwords, and clear text services.
The institute called the list — which highlights the vulnerabilities most commonly exploited by hackers — the definition of the “absolute minimum level of security protection” for networked computers.
Gartner vice president of research Richard Stiennon told TechNewsWorld that the vulnerabilities outlined by the SANS list are almost self-replicating in their persistence, leaving users scrambling to keep up with patches.
“All of those are devastating and have had devastating effects,” Stiennon said of the Windows vulnerabilities. “If any of those are exposed to the Internet, you’re down,” he added, referring to this year’s Slammer and Blaster worm outbreaks.
SANS director of research Alan Paller, describing the ongoing battle to shore up software and systems, told TechNewsWorld that he agrees system administrators are simply putting fingers in the dike rather than solving the problem.
“Vendors are going to continue putting out software with holes, and even if the operating system doesn’t have holes, the software above it will,” Paller said. “This is an unending quest — you wish you could fix it and do it and move on and live your life, but you can’t.”
Paller also remarked on the increased liability and exposure to companies caused by personal computers that enable file-sharing, which was ninth on the list of Windows vulnerabilities.
Holes New and Old
SANS did shuffle some Windows vulnerabilities, combining last year’s NETBIOS, anonymous login and remote registry access into a single category that includes the RPC vulnerability. SANS also folded the LAN manager issue and general Windows authentication issues into one listing.
Blending these vulnerabilities into single categories made room for new vulnerabilities that include Outlook and Outlook Express e-mail, peer-to-peer file-sharing and Simple Network Management Protocol (SNMP).
Stiennon, who blamed “widespread deployment of Microsoft systems in unsupervised environments” for the seemingly constant threats, said any one of the vulnerabilities would give complete control of a system to attackers.
Unix Openings Less Painful
While SANS also picked top Unix vulnerabilities, including widely used BIND domain name system software, Forrester research director Michael Rasmussen told TechNewsWorld that “90 percent of the heartache is on the Windows side.”
Rasmussen blamed the proliferation of Windows systems and the hackers’ focus on Microsoft systems, adding that Unix is easier to secure without breaking other software functionalities.
Stiennon added that Unix user protocol is more standard and that Unix users, who are typically more security-minded, are better at quickly addressing security gaps.
When SANS Speaks
Stiennon said the Top 20 list, now published for the fourth consecutive year, serves as a call to action for system administrators because the vulnerabilities are all known and fixable.
“A lot of security and best practices is driven by the desire not to be totally embarrassed by an attack,” he said. “This gets the attention of people and can get high-level management asking questions.”
However, Stiennon said that companies continue to budget inadequately for software patching and downtime, instead lagging until a worm hits, which then throws businesses into crisis mode.
What To Do
SANS offered tips on closing the security gaps it listed and also published an expanded list of ports that should be blocked at the firewall or gateway device level.
The security institute, which advised the most secure approach is a default deny stance with routers and firewalls, also included instructions for defending systems from the most destructive malware, including Slammer, SoBig and Blaster.
SANS called its list a baseline for defense strategies and warned against pressuring system administrators to fix all vulnerabilities, which can number in the thousands, at once.
“When a system administrator receives a report showing thousands of vulnerabilities across hundreds of machines, he is often paralyzed,” said SANS in a statement. “The Top 20 is a critical tool in providing focus to the cyber security fight.”