SANS Institute embarrasses FBI
When the SANS Institute, in co-operation with the FBI, released its list of "The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts' Consensus" for 2002" I responded by pointing out that:
- the top 10 Windows list did not include the most widely exploited vulnerabilities,
- the top ten Unix list included applications and SunRPC related vulnerabilities from the late eighties.
- the list did not cover either Windows applications or Cisco and other networking software responsible for most exploitable internet security vulnerabilities.
At the time the FBI, essentially a sleeping partner in this effort, was having some internal systems problems with infighting between mainframers and PC bigots blocking desktop and other upgrades. Nevertheless, having the FBI name attached to the SANS list gave it an apparent legitimacy a PC security tools vendor consortium would never have had on its own - and therefore embarrassed the FBI.
That was then, now is now - and the SANS Institute has significantly changed its behavior - to the point that today's top 20 list is a beautiful piece of work of genuine value to its users.
Thus the current release has separate sections covering major vulnerabilities in:
Top Vulnerabilities in Windows Systems
- W1. Windows Services (13 = number of vulnerabilities or CVEs listed; n/a = not applicable because not a vulnerability list)
- W2. Internet Explorer (10)
- W3. Windows Libraries (16)
- W4. Microsoft Office and Outlook Express (3)
- W5. Windows Configuration Weaknesses (n/a)
- C1. Backup Software (23)
- C2. Anti-virus Software (24)
- C3. PHP-based Applications (3)
- C4. Database Software (22)
- C5. File Sharing Applications (6)
- C6. DNS Software (2)
- C7. Media Players (29)
- C8. Instant Messaging Applications (6)
- C9. Mozilla and Firefox Browsers (27)
- C10. Other Cross-platform Applications (30)
- U1. UNIX Configuration Weaknesses (n/a)
- U2. Mac OS X (15)
- N1. Cisco IOS and non-IOS Products (19)
- N2. Juniper, CheckPoint and Symantec Products (4)
- N3. Cisco Devices Configuration Weaknesses (n/a)
Needless to say, this is a lot more complete than a simple pair of very selective top 10 lists - and a lot more valuable too with a layout that lets the user move easily from analysis to action.
In my opinion if there was such a thing as an Internet "Most Improved" prize for 2005, the SANS Institute should be the easy winner - So, please, join with me in wishing the people behind this change a Merry Christmass and a Happy New Year.
And the FBI? the SANS Institute has embarrased them again - this time by growing up and moving on, while they're still fighting each other and everybody else in the homeland security business for control over technology directions and change.