News

SANS Posts Top 20 Vulnerabilities List

The SANS Institute on Friday unveiled its fifth annual list of the most commonly exploited vulnerable services in Windows, Unix and Linux systems. For Windows-based systems, Web servers and services topped the list as the biggest vulnerability.

SANS, a security certification and training organization that maintains the influential Internet Storm Center, originally released the list in conjunction with the National Infrastructure Protection Center of the FBI. The unveiling ceremony Friday in London marks the first time SANS didn't release the list at a White House or FBI ceremony.

"This is … the first time that the launch event for this authoritative study has taken place within Europe; reflecting both on the Top-20’s growing significance outside of the US and the essential leadership role played by British government agencies in this year’s study and in cyber-security, overall," according to a statement by the institute.

The list is billed as a consensus of security experts from security researchers at leading government security agencies worldwide, user groups and IT companies, including Microsoft, Symantec and Cisco.

After the release of the first list of ten vulnerabilities in 2000, the list has been organized as two separate top tens -- one for Windows-based systems and one for Unix or and Unix/Linux-based systems.

"Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services," the institute said in a statement.

To justify listing Web servers and services as the top most vulnerable service on Windows systems, the institute noted that default installations of HTTP servers from Microsoft IIS to Apache to SunOne and other add-ons have proven vulnerable to serious attacks including complete compromise of the server, exposure of sensitive files or data and denial of service.

Each vulnerability includes recommended mitigation steps. For Web servers, the institute goes through several general steps, as well as platform-specific steps. For IIS, the institute recommends upgrading to IIS 6.0 where possible, using Microsoft's IIS Lockdown Wizard and filtering HTTP requests with Microsoft's URLScan tool.

The SANS list of Top Vulnerabilities to Windows Systems:

  • W1 Web Servers & Services
  • W2 Workstation Service
  • W3 Windows Remote Access Services
  • W4 Microsoft SQL Server (MSSQL)
  • W5 Windows Authentication
  • W6 Web Browsers
  • W7 File-Sharing Applications
  • W8 LSAS Exposures
  • W9 Mail Client
  • W10 Instant Messaging

    The SANS list of top vulnerabilities to Unix Systems:

  • U1 BIND Domain Name System
  • U2 Web Server
  • U3 Authentication
  • U4 Version Control Systems
  • U5 Mail Transport Service
  • U6 Simple Network Management Protocol (SNMP)
  • U7 Open Secure Sockets Layer (SSL)
  • U8 Misconfiguration of Enterprise Services NIS/NFS
  • U9 Databases
  • U10 Kernel

    The SANS list is available here.

    • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.