SANS Updates Top 20 Vulnerabilities List
The latest update to the SANS Top 20 List includes the usual suspects of client application vulnerabilities, browser vulnerabilities, and poor policies and/or enforcement. The list seems to have something for everyone. While operating systems are less vulnerable to worms than in the past, desktop apps are being exploited more effectively. The ones that caught my eye at first were vulnerabilities in backup software, anti-virus applications, and databases.
Backups tend to run with elevated authorizations to read many directories making them a prime target of attack. I for one don't think about backups much except when I need them or there is a problem with the scheduled jobs that run them. This is one case where out of sight out of mind is a problem.
Anti-virus software is also on the list with a Who's Who list of top AV vendors having remote execution vulnerabilities in their software. Attacking AV is like a biological pathogen that attacks the immune system, they can open the doors to other pathogens/malware.
Databases are of course on the list. These systems store the "crown jewels" of a company, of course they'll be a target. A combination of vulnerabilities in listeners, which pick up requests from the network, default configurations and poor password policies/enforcement don't help to protect the valuables.
The lowest hanging fruit that we seem to keep missing is with basic configuration and password policies.
The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!
The full list is available at http://www.sans.org/top20/
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
