SANS Posts Top 20 Vulnerabilities List
- By Scott Bekker
- October 08, 2004
The SANS Institute on Friday unveiled its fifth annual list of the most commonly exploited vulnerable services in Windows, Unix and Linux systems. For Windows-based systems, Web servers and services topped the list as the biggest vulnerability.
SANS, a security certification and training organization that maintains the influential Internet Storm Center, originally released the list in conjunction with the National Infrastructure Protection Center of the FBI. The unveiling ceremony Friday in London marks the first time SANS didn't release the list at a White House or FBI ceremony.
"This is … the first time that the launch event for this authoritative study has taken place within Europe; reflecting both on the Top-20’s growing significance outside of the US and the essential leadership role played by British government agencies in this year’s study and in cyber-security, overall," according to a statement by the institute.
The list is billed as a consensus of security experts from security researchers at leading government security agencies worldwide, user groups and IT companies, including Microsoft, Symantec and Cisco.
After the release of the first list of ten vulnerabilities in 2000, the list has been organized as two separate top tens -- one for Windows-based systems and one for Unix or and Unix/Linux-based systems.
"Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services," the institute said in a statement.
To justify listing Web servers and services as the top most vulnerable service on Windows systems, the institute noted that default installations of HTTP servers from Microsoft IIS to Apache to SunOne and other add-ons have proven vulnerable to serious attacks including complete compromise of the server, exposure of sensitive files or data and denial of service.
Each vulnerability includes recommended mitigation steps. For Web servers, the institute goes through several general steps, as well as platform-specific steps. For IIS, the institute recommends upgrading to IIS 6.0 where possible, using Microsoft's IIS Lockdown Wizard and filtering HTTP requests with Microsoft's URLScan tool.
The SANS list of Top Vulnerabilities to Windows Systems:W1 Web Servers & Services
W2 Workstation Service
W3 Windows Remote Access Services
W4 Microsoft SQL Server (MSSQL)
W5 Windows Authentication
W6 Web Browsers
W7 File-Sharing Applications
W8 LSAS Exposures
W9 Mail Client
W10 Instant Messaging
The SANS list of top vulnerabilities to Unix Systems:U1 BIND Domain Name System
U2 Web Server
U4 Version Control Systems
U5 Mail Transport Service
U6 Simple Network Management Protocol (SNMP)
U7 Open Secure Sockets Layer (SSL)
U8 Misconfiguration of Enterprise Services NIS/NFS
The SANS list is available here.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.