Head off security holes
The list starts with the most general problems and moves to those that affect specific operating systems or Web server software. According to SANS director of research Alan Paller, "the list is meant to cover the vast majority of programs that are automatically running around the Internet trying to grab machines." Paller says that hackers set up stolen machines and program them to search for vulnerable servers anywhere on the Internet so that these machines can later be used for attacks.
What Paller and the FBI found is that some problems are more widespread than others. "This year it's Microsoft IIS," Paller says, "because it's so widespread and so easy to break into." Adding to the problem is that so many installations aren't known to the companies that have them. Unfortunately for security managers, installations of Windows NT, Windows 2000, and Windows XP can also include a fully functional Web server that's created at the time the operating system is installed, depending on the options you select. Because the installation isn't obvious, many managers don't know it exists. But if they don't explicitly disable it, the hidden version of IIS can simply run in the background, providing a back door into the computer on which it's installed.
This is not to suggest that Microsoft operating systems are alone in vulnerability. Plenty of Unix and Linux servers also have a big back door that's frequently not locked. In this case, it's sample scripts that are intended to provide a basis for Web server managers to create their own scripts. However, these samples are never intended for use on the Internet, and as a result, have no security built in. Worse, they may be so poorly written that executing them can open vulnerabilities that the manager had thought plugged.
Fortunately, most of the major vulnerabilities can be fixed easily, and they can stay that way as long as managers keep on top of the problem. Unfortunately, that can be easier said than done, because manufacturers and operating system distributors aren't doing much to help. Paller suggests that Microsoft could have provided updates to earlier versions of Windows that would have enhanced security, but didn't. And Unix and Linux installation programs could have been changed so that they don't install sample scripts. Now, users have to know they need to fix those problems.
And that, of course, is the reason for the SANS Top 20 list of vulnerabilities. According to Paller, the list will be updated constantly, so improved methods of handling problems will be posted as soon as they are discovered. New problems will be posted when they turn up. "We had about 20 updates in the first eight days," Paller says, noting that SANS has a number of strong candidates to add.The list of vulnerabilities was worked out with the help of the FBI, and with data from around the world. "We have firewalls in 60 countries that feed us data every day," Paller says. "We search for worms, we keep finding them, and then the FBI catches the people who create them." In addition to using the information to create the Top 20 list, SANS also uses it to feed the Internet Storm Center at www.incidents.org or www.dshield.org.
But recent events have motivated IT managers to ask for more, and as a result, security consultants are also finding the Top 20 list useful. "It's a good starting point for getting security managers and others aware of the vulnerabilities out there," says Roosevelt Giles, president of Information Management Systems, Inc. in Atlanta.
Giles notes that as good as the list is, it's not the only answer to Internet security. First, he notes, IT managers must make sure they remain current on what the risks, vulnerabilities, and threats are. Second, they need to plug the biggest security hole of all, which is their user community. Giles says that users need training so that they don't inadvertently defeat security measures, and so they don't invite problems into their company networks. "Passwords shouldn't appear in the dictionary," Giles says, giving one example. "People shouldn't open attachments from people they don't know," he adds, showing where training could solve problems.
Still, he agrees that managers need to know where to start if they plan to defeat the threats that exist on today's Internet. The SANS Top 20 is important for that reason alone. However, both Giles and Paller say that more needs to be done--most notably, by fixing problems before they ever reach end users. Paller says that the best way to do that is to join the Center for Internet Security, which provides a means to tell manufacturers what's really needed.
Managers appear to agree. Roy Sutton, chief engineer and CEO of Data Net Corporation in Fort Lauderdale says that the SANS Top 20 is important because it helps make managers aware of the vulnerabilities that companies face, something he says they might not have otherwise. "The number one problem of default installations illustrates this," he says, pointing out that people wouldn't accept the defaults if they knew the risks.
Sutton also agrees with Giles that there's more to security than what appears on the list. "The biggest security vulnerability of a network is the people that use it," says Sutton. "Even if you implement all the features here, if you have somebody who downloads a virus and runs it on your network, he can take it out. Training is the number one security concern."
Paller says that most of the problems currently on the Top 20 list could have been fixed before they reached the field. He also believes that because of the Top 20 list, most problems will eventually be fixed by IT managers. However, his list will always have new items as new threats emerge. For that reason, it's important to keep checking.