New SANS/FBI Top 20 List

An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of The Twenty Most Critical Internet Security Vulnerabilities. As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists. For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."

Some messed up scoring here.

[caluml]

The 3rd highest vulnerability to Unix is Apache?
That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

Or am I reading a list from 5 years ago?

Re:Some messed up scoring here.

[valdis]

OK.. Speaking as one of the culprits here.. ;)

Those of you who patch regularly and often aren't the problem, or the target audience. Yes, the last Bind exploit was quite some time ago, and patched systems fixed it long ago. On the other hand, want to guess which there are more of out there, fully patched RedHat 9.0 boxes or unpatched RedHat 7.2 boxes?

One of the inputs into the ranking and selection criteria was how heavily exploited the holes were. And you know what? There's more sites being nailed *NOW* with the Apache Chunking hole than the most recent OpenSSH hole (Hint - which has more working exploits in the wild?)

To be blunt, we weren't targeting the admins that do a good job of keeping their systems tied down and up to date (THOSE guys can wander over to www.cisecurity.org (Yes, I'm a co-conspirator there too ;) and see how they do on the benchmarks). We were targeting the sites that are running 3 years behind because they don't have a clue where to start.

It's not a checklist for perfect security. It's a checklist of "If you don't have a clue and the boss only gave you 2 hours to get the box online, do at least this much so you have a fighting chance".

Nobody who helped make this list was particularly thrilled by the need to do it - every single one of us wished it wasn't necessary, either because systems were at least that secured out of the box, or because systems were hardened by people who had both the skill and time to do the job.

And yes, we're collectively ticked by the fact that it's so damned hard to retire items. On the other hand, it's instructive to go back and re-read the original Multics penetration study:

http://www.acsac.org/2002/papers/classic-multics -o rig.pdf (24 pages)

and then look at the author's 30-years-later retrospective:

http://www.acsac.org/2002/papers/classic-multics .p df (8 pages)

Executive Summary: It hasn't gotten much better over 30 years. In fact, it sucks worse.

Re:FTP

[EvilStein]

Yeah, SFTP/SCP with applications like WinSCP work out as a nice replacement.
There are several "FTP apps" that support SFTP.

Dreamweaver allows you to do SFTP/SCP via PuTTY, too.

Re:Woohoo! FTP is safe!

[vladkrupin]

See?! Telnet & FTP aren't on the list anymore.

Right, right... Ehrm... to quote the guy a couple postings before you...

# U5 Clear Text Services

To summarize (or generalize)

[johnlcallaway]

Windows break/Fixes can be simplistically be broken down this way:

• W1 Internet Information Services (IIS) - Keep it patched
• W2 Microsoft SQL Server (MSSQL) - Keep it patched and don't connect it to the web
• W3 Windows Authentication - Create and enforce password policies
• W4 Internet Explorer (IE) - Keep it patched
• W5 Windows Remote Access Services - Don't use it/keep it patched/hack the registry
• W6 Microsoft Data Access Components (MDAC) - Keep it patched
• W7 Windows Scripting Host (WSH) - Disable it
• W8 Microsoft Outlook Outlook Express - Remove it
• W9 Windows Peer to Peer File Sharing (P2P) - Don't install it
• W10 Simple Network Management Protocol (SNMP) - Disable it unless you know what you are doing

Unix break/Fixes can be simplistically be broken down this way:

• U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
• U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
• U3 Apache Web Server - Don't install it except on web servers and only install modules you need
• U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords - Create and enforce password policies
• U5 Clear Text Services - Don't install them, use alternatives
• U6 Sendmail - Don't install, use an alternative, and only install on mail servers
• U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
• U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
• U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
• U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches

The best choice is if you don't need it, don't install it. If software isn't on the machine, it can't be hacked.

Of course, with Unix, at least you have that choice......

Re:To summarize (or generalize)

Unix break/Fixes can be simplistically be broken down this way:

* U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
Good Advice -- only use domain name services on a DNS .

* U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
NFS? Its still one of the fastest solutions.

* U3 Apache Web Server - Don't install it except on web servers and only install modules you need
Only run Apache on web servers. I understand your thinking after reading the DNS thing.

* U6 Sendmail - Don't install, use an alternative, and only install on mail servers
And sendmail on mail servers. Its becoming clearer.

* U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
Home grown alternatives are worse.

* U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
Its 3am. The fan is dirty and you're in transit. A VPN won't save you but secure access from the general internet will. And what exactly, is the VPN providing that SSH doesn't?

* U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
Never cared much for working servers and setting up accounts (and deleting them) on 200 boxes is so much fun.

* U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches
Now how are you going to get that VPN working that you love so much?

This is mature stuff that does real work. I have mountains of respect for it and you're advocating DOS 3.

And the #1 vulnerability is...

[moltar77]

Windows! On a more serious note, the web site listed a very nice link for manually removing Outlook Express. At last I can purge my hard drive of that thing!!

Re:Notice something cool about the list?

[crazyphilman]

If you know what you're talking about, why is it you think that a user-space firewall is more secure than a kernel-space firewall?

When the firewall runs in the kernel, the firewall sees incoming packets FIRST, and can drop them on the spot. When the firewall runs in user-space, incoming packets come in, get handled by a kernel process (which may have a vulnerability), and THEN get handled by the firewall. So if there's a vulnerability in the kernel, the packet has already nailed you before the firewall has "seen" it. It's why every single Unix puts its firewall in the kernel, and has done so for decades.

How did you scan your machine? Did you use nmap? Did you try all the different scans available (there are at least a few dozen).

I'm not trying to give you a hard time, here, I just think you're trusting XP a little too much for your own good.