FBI names 20 most-wanted security flaws

The Systems Administration, Networking and Security (SANS) Institute unveiled a list of 20 software flaws this week that the group, along with the FBI, recommends be given special attention by corporate data managers.

The list includes seven security problems that affect all systems, six vulnerabilities specific to Microsoft servers, and seven flaws that affect various flavors of Unix, including Linux and Solaris.

"The idea is that this list is going to heighten awareness of the top threats," said Greg Shipley, vice president of consulting for network protection company Neohapsis. "If you take the stance of an in-the-trenches security practitioner, this definitely helps."

Along with many esoteric vulnerabilities -- such as the ISAPI flaw that allowed Code Red to spread -- the list also includes many common-sense steps that system administrators can take to secure their networks. For example, the list highlights the fact that most default installations of software are not secure, that many organizations do not perform regular backups and that weak or no passwords are frequently used.

The list builds on a Top 10 list that SANS released in June 2000. All but one of the original 10 flaws remain on the list.

That may indicate that many people are not listening to the message, said Shipley, but that doesn't negate the usefulness of the list.

"If the community did rally around this, the Internet would still be a lot safer," he said.

Sixteen months ago, vulnerabilities in the domain-name service software package BIND topped the list, followed by flaws in the Common Gateway Interface scripts commonly used by many Web sites to add interactivity.

The current Top 20 list doesn't rank the flaws, but does break them into general, Windows and Unix categories.