|
|
DSL News
The SANS Top 20 Internet Security Vulnerabilities
Article #: 10
| Date: | | | Written By: | http://www.sans.org/top20/ | | Article: | The vast majority of worms and other successful cyber attacks are made possible by vulnerabilities in a small number of common operating system services. Attackers are opportunistic. They take the easiest and most convenient route and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. The easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities.
Three years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty lists that followed one and two years later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to the examples above Blaster, Slammer, and Code Red, as well as NIMDA worms - are on that list.
This updated SANS Top Twenty is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited vulnerable services in UNIX and Linux. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services.
The Top Twenty is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious federal agencies in the US, UK and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute. A list of participants may be found at the end of this document.
The SANS Top Twenty is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods are identified, and we welcome your input along the way. This is a community consensus document -- your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you.
Notes for Readers
CVE Numbers
You'll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You may also see CAN numbers. CAN numbers are candidates for CVE entries that have not yet been fully verified. For more data on the award-winning CVE project, see http://cve.mitre.org.
The CVE and CAN numbers reflect the top priority vulnerabilities that should be checked for each item. Each CVE vulnerability reference is linked to the associated vulnerability entry in the National Institute of Standards and Technology's ICAT vulnerability indexing service (http://icat.nist.gov). ICAT provides a short description of each vulnerability, a list of the characteristics of each vulnerability (e.g. associated attack range and damage potential), a list of the vulnerable software names and version numbers, and links to vulnerability advisory and patch information.
Ports to Block at the Firewall
---- Jump to index of Ports to Block at the Firewall or Gateway ----
At the end of the document, you'll find an extra section offering a list of commonly probed and attacked ports. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistakes and oversights. Note, however, that using a firewall or router to block network traffic directed to a port does not protect the port from disgruntled co-workers who are already inside your perimeter or from hackers who may have penetrated your perimeter using other means. It is also a far more secure practice implementing a default deny or block that which is not explicitly allowed stance in firewall and router configurations than individually blocking specific ports.
back to top ^
Top Vulnerabilities to Windows Systems:
http://www.sans.org/top20/#threats
W1 Internet Information Services (IIS)
W2 Microsoft SQL Server (MSSQL)
W3 Windows Authentication
W4 Internet Explorer (IE)
W5 Windows Remote Access Services
W6 Microsoft Data Access Components (MDAC)
W7 Windows Scripting Host (WSH)
W8 Microsoft Outlook and Outlook Express
W9 Windows Peer to Peer File Sharing (P2P)
W10 Simple Network Management Protocol (SNMP)
Top Vulnerabilities to UNIX Systems
U1 BIND Domain Name System
U2 Remote Procedure Calls (RPC)
U3 Apache Web Server
U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords
U5 Clear Text Services
U6 Sendmail
U7 Simple Network Management Protocol (SNMP)
U8 Secure Shell (SSH)
U9 Misconfiguration of Enterprise Services NIS/NFS
U10 Open Secure Sockets Layer (SSL)
|
DSL HOME |
|
