Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SANS/FBI Top 20 List

Posted by timothy on from the reverse-pecking-order dept.

An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of The Twenty Most Critical Internet Security Vulnerabilities. As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists. For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."

4 of 199 comments (clear)

  1. Some messed up scoring here. by caluml · · Score: 5, Informative
    The 3rd highest vulnerability to Unix is Apache?
    That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

    Or am I reading a list from 5 years ago?

    --
    Get your own free personal location tracker
  2. Re:Woohoo! FTP is safe! by vladkrupin · · Score: 3, Informative

    See?! Telnet & FTP aren't on the list anymore.

    Right, right... Ehrm... to quote the guy a couple postings before you...

    # U5 Clear Text Services

    --

    Jobs? Which jobs?
  3. To summarize (or generalize) by johnlcallaway · · Score: 3, Informative
    Windows break/Fixes can be simplistically be broken down this way:
    • W1 Internet Information Services (IIS) - Keep it patched
    • W2 Microsoft SQL Server (MSSQL) - Keep it patched and don't connect it to the web
    • W3 Windows Authentication - Create and enforce password policies
    • W4 Internet Explorer (IE) - Keep it patched
    • W5 Windows Remote Access Services - Don't use it/keep it patched/hack the registry
    • W6 Microsoft Data Access Components (MDAC) - Keep it patched
    • W7 Windows Scripting Host (WSH) - Disable it
    • W8 Microsoft Outlook Outlook Express - Remove it
    • W9 Windows Peer to Peer File Sharing (P2P) - Don't install it
    • W10 Simple Network Management Protocol (SNMP) - Disable it unless you know what you are doing
    Unix break/Fixes can be simplistically be broken down this way:
    • U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
    • U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
    • U3 Apache Web Server - Don't install it except on web servers and only install modules you need
    • U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords - Create and enforce password policies
    • U5 Clear Text Services - Don't install them, use alternatives
    • U6 Sendmail - Don't install, use an alternative, and only install on mail servers
    • U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
    • U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
    • U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
    • U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches
    The best choice is if you don't need it, don't install it. If software isn't on the machine, it can't be hacked.

    Of course, with Unix, at least you have that choice......
    --
    I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
  4. And the #1 vulnerability is... by moltar77 · · Score: 4, Informative

    Windows! On a more serious note, the web site listed a very nice link for manually removing Outlook Express. At last I can purge my hard drive of that thing!!