[ISN] ISS Lists Security Risks

From: InfoSec News (isnat_private)
Date: Tue Jul 08 2003 - 00:28:48 PDT

  • Next message: InfoSec News: "[ISN] Uneasiness About Security as Government Buys Software"

    http://security.ziffdavis.com/article2/0,3973,1185262,00.asp
    
    By Dennis Fisher
    eWEEK 
    July 7, 2003 
    
    Internet Security Systems Inc. last week unveiled its first 
    Catastrophic Risk Index, a compilation of the 31 most serious current 
    vulnerabilities and attacks.
    
    The index is designed to give administrators a constantly updated 
    quick-reference list of the issues that should be their top priorities 
    in protecting networks. Not surprisingly, all but two of the 
    vulnerabilities on the list are some form of buffer overflow.
    
    Buffer overflows are far and away the most common security 
    vulnerabilities plaguing commercial and open-source software. They 
    come in many shapes and sizes and can be found in almost any kind of 
    application, but the result is almost always the same: an attacker 
    gets access to a critical application or server.
    
    To qualify for inclusion on the CRI, a vulnerability must meet several 
    criteria: be pervasive enough to affect almost all organizations 
    across all industries; be a serious threat to the confidentiality, 
    integrity and availability of critical data; be a potential cause of 
    catastrophic business-system failure; and be highly susceptible to 
    virus and worm creation. About one-third of the vulnerabilities on the 
    list are found in open-source software packages, including OpenSSL, 
    Sendmail and Snort. The remainder are problems in commercial 
    applications, with Microsoft Corp. having the most entries on the CRI. 
    Of the 31 issues listed, 12 were found in Microsoft products. The 
    other commercial vendors with more than one flaw on the list are Sun 
    Microsystems Inc. and PeopleSoft Inc., which have two each.
    
    The CRI was developed by X-Force, the research team at ISS, which is 
    based in Atlanta. The team plans to update the list on a regular basis 
    so that it continues to reflect the current set of the most dangerous 
    known vulnerabilities.
    
    ISS officials said the company developed the CRI as a way to take some 
    of the pressure off customers, which are inundated with information 
    about new vulnerabilities and attacks every day.
    
    "Our security team identifies and tracks 200 to 300 new 
    vulnerabilities and threats each month, which is an enormous load for 
    companies to keep up with while also focusing on their core business," 
    said Chris Rouland, vice president of X-Force.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 02:50:28 PDT