Multinational consensus pegs top 20 net vulnerabilities
By Dan Verton, IDG News Service
Date: October 09, 2003
The US Department of Homeland Security (DHS), along with its Canadian and British counterparts and the System Administration, Networking and Security (SANS) Institute, has released a list of the top 20 security vulnerabilities most often exploited by criminal hackers.
The creation of the Top 20 list of commonly exploited Windows, Unix and Linux flaws marks one of the first times that a multi-national consensus has been reached on critical Internet vulnerabilities that must be fixed to meet a minimum level of security protection for computers connected to the Internet.
"Basing the Top 20 on a multi-national government/industry consensus endows the list with more authority and makes it easy for each of our agencies to persuade owners and operators of the critical infrastructure to eliminate these vulnerabilities," director of the U.K.'s National Infrastructure Security Co-ordination Centre, Steve Cummings, said.
Director of outreach programs at the DHS, Sallie McDonald, called the Top 20 project, "a useful example" of how the USNational Strategy for Securing Cyberspace was being implemented.
Director of research at SANS, Alan Paller, said the list was a consensus of the knowledge of experts from around the world who are fighting cybercrime. In addition to contributors in the US, UK and Canada, experts from Singapore and Brazil also helped develop the list.
Paller said the security industry had put its support behind the Top 20 list. Two of the leading suppliers of vulnerability testing software, Qualys and Foundstone, announced that their customers would be able to test for the top 20 vulnerabilities. Qualys was also offering a free network auditing service that let anyone test Internet-connected systems for evidence of the vulnerabilities, Paller said.
"The list reflects the combined experience of many of the folks who have to clean up after attacks," he said. "It couldn't be developed by any individual organization because different sites face different automated and targeted attacks."
SANS started the process of issuing a Top 10 list of vulnerabilities three years ago, when it released its first list with the US National Infrastructure Protection Center.
The updated SANS Top 20 is actually a combination of two Top 10 lists: the 10 most commonly exploited vulnerable services in Windows and the 10 most commonly exploited vulnerable services in Unix and Linux.
"Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these 20 vulnerable services," according to the final consensus document.
^macro[showdigestcomments;^uri;Multinational consensus pegs top 20 net vulnerabilities]