http://osvdb.org/blog/?p=148 November 24th, 2006 I previously blogged about the SANS Top 20 List in a pretty negative fashion. The list started off as the "Top 10 Vulnerabilities" and quickly expanded into the Top 20 Vulnerabilities. Even last year (2005), they were still calling it a "Top 20 Vulnerabilities" list when it clearly had become anything but that. This year, SANS finally wised up calling the list "SANS Top-20 Internet Security Attack Targets". Yes, they are now listing the 20 most attacked "targets", not "exploited vulnerabilities". With this change, does the list regain some of the value it originally had and quickly lost? Lets look at the list: Operating Systems W1. Internet Explorer W2. Windows Libraries W3. Microsoft Office W4. Windows Services W5. Windows Configuration Weaknesses M1. Mac OS X U1. UNIX Configuration Weaknesses Cross-Platform Applications C1 Web Applications C2. Database Software C3. P2P File Sharing Applications C4 Instant Messaging C5. Media Players C6. DNS Servers C7. Backup Software C8. Security, Enterprise, and Directory Management Servers Network Devices N1. VoIP Servers and Phones N2. Network and Other Devices Common Configuration Weaknesses Security Policy and Personnel H1. Excessive User Rights and Unauthorized Devices H2. Users (Phishing/Spear Phishing) Special Section Z1. Zero Day Attacks and Prevention Strategies So if you run Windows, Unix or MacOS .. and/or have Web Applications, Database software, allow P2P file sharing, allow IM messaging, have media players (installed by default on most OSs), run DNS servers, run Backup Software, run Security/Enterprise/DM servers .. and/or use VoIP servers/phones or "network and other devices".. and/or have weak policy governing user rights or dont prohibit certain devices and you actually have users.. you have at least one of the "Top 20 Attack Targets". Wow, is that ever so helpful. Oh, I forgot, failing all of that, "Zero Day Attacks" are a top 20 attack vector. Hey SANS, could you make a more overly vague and general security list next time? Maybe for 2007 you could shorten it from the "Top 20" to the "Top 1" and just list "C1: Have a computer type device". That would save your analysts a lot of time and be just as helpful to the masses. Seriously, ditch the list or go back to the basics. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Nov 28 2006 - 01:50:36 PST