Dana Epp's ramblings at the Sanctuary: SANS releases updated Top 20 Vulnerabilities List


« Mozilla: How to be a thorn in my side \| Main \| Power of Blogging: Word of Mouth FINALLY gets my SORBS issue fixed » October 08, 2004 SANS releases updated Top 20 Vulnerabilities List SANS has updated their list of top 20 vulnerabilities on the Internet. You might find some of their findings interesting: Top Vulnerabilities to Windows Systems: Web Servers & Services Workstation Service Windows Remote Access Services Microsoft SQL Server (MSSQL) Windows Authentication Web Browsers File-Sharing Applications LSAS Exposures Mail Client Instant Messaging Top Vulnerabilities to UNIX Systems: BIND Domain Name System Web Server Authentication Version Control Systems Mail Transport Service Simple Network Management Protocol (SNMP) Open Secure Sockets Layer (SSL) Misconfiguration of Enterprise Services NIS/NFS Databases Kernel Compare that to a year ago. Top Vulnerabilities to Windows Systems in 2003: Internet Information Services (IIS) Microsoft SQL Server (MSSQL) Windows Authentication Internet Explorer (IE) Windows Remote Access Services Microsoft Data Access Components (MDAC) Windows Scripting Host (WSH) Microsoft Outlook and Outlook Express Windows Peer to Peer File Sharing (P2P) Simple Network Management Protocol (SNMP) Top Vulnerabilities to UNIX Systems in 2003: BIND Domain Name System Remote Procedure Calls (RPC) Apache Web Server General UNIX Authentication Accounts with No Passwords or Weak Passwords Clear Text Services Sendmail Simple Network Management Protocol (SNMP) Secure Shell (SSH) Misconfiguration of Enterprise Services NIS/NFS Open Secure Sockets Layer (SSL) Interesting findings. On the surface much has changed. But not really. Look closely. Network attack vectors via a web server is still a paramount concern on Windows. And BIND continues to be the achilles heel on Unix. What does that really tell us though? It is always easier to breach something exposed to the masses remotely and anonymously. Is this because of secure software engineering failure, configuration failure or a failure in education. (Or a piece of each). What I DID find insteresting was that this year, "web servers" have been clumped together. IIS always used to stand out because of the various weaknesses in it; IIS6 was a totally new design through the SD3+C methodology and its showing to be successful. Now its just en mass with Apache, and iPlanet/SunOne. Will be interesting to see a snapshot next year... I am going to guess the SD3+C push will have mitigated a lot of this as more businesses move to W2K3. Posted by SilverStr at October 8, 2004 10:12 AM \| TrackBack		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

October 08, 2004

SANS releases updated Top 20 Vulnerabilities List