Feds, SANS Unveil Top 20 Vulnerabilities

The list includes 10 programs in Unix systems and 10 in Windows systems.

The General Services Administration today unveiled a flurry of Internet security related announcements, including an updated list of the top 20 vulnerabilities as compiled by the FBI and the SANS Institute.

The list includes 10 programs in Unix systems, including Apache Web Server, Secure Shell and File Transfer Protocol; and 10 programs in Windows systems, including Microsoft SQL Server, Internet Explorer and Remote Registry Access. Absent are several vulnerabilities that made the list last year but are no longer prevalent.

"This year, theres nothing that you should not be able to test," Alan Paller, director of research at SANS, said upon revealing the top 20 vulnerabilities at the GSA in Washington.

In conjunction with the advisories, several IT security vendors announced product upgrades that will target the identified weaknesses. Internet Security Systems, for one, launched a new policy component for its Internet Scanner to allow users to tailor security posture based on the top 20 vulnerabilities. ISS Internet Scanner application monitors systems for weaknesses that affect communication services, operating systems, routers, e-mail and Web servers, firewalls, and applications.

Qualys Inc. and Foundstone Inc. also released new scanning services and products today. In addition, the Nessus Organization and Advanced Research Corp. announced open-source products to cover the newly identified weaknesses.

To help federal agencies identify and eliminate the top 20 weaknesses, the GSA is setting up a task force to draft specifications for contracting with security vendors via the federal SafeGuard program. A recent effort to reduce attacks at NASA is serving as a model for other agencies. NASAs 10 centers worked together to identify the most exploited weaknesses and then used ISS scanning tools across 80,000 systems. Today, approximately one in 200 attacks penetrates NASAs systems, down from approximately one in 10 when the initiative began in early 2000, Paller said.

The GSA is also providing a patch service to federal users, notifying them by e-mail when a new vulnerability is identified on a system. The service, funded by the Federal Computer Incident Response Center, describes steps that can be taken to protect the network while a patch is being developed, and it issues a notice when the patch is available, according to Sallie McDonald, assistant commissioner for Information Assurance & Critical Infrastructure Protection at the GSA.

Richard Clarke, special adviser to the president for cyber-space, issued a particularly stern caution today against publicizing program weaknesses before patches are developed. "It is irresponsible when you find a vulnerability to tell everyone in the world about it. It is the height of irresponsibility," he said. "Tell the right people and keep it secret until a patch can be distributed."

If you discover a vulnerability, you should notify FedCIRC or the FBIs National Infrastructure Protection Center, and if they dont help, you should call Clarke himself, the cyber-czar said. "If I call the vendor, I think well get attention," he added.

To make all computer users aware of newly identified weaknesses, SANS is providing a weekly e-mail alert, called Critical Vulnerability Analysis. The update describes 30 to 50 vulnerabilities discovered during the preceding week that require action. It also describes the extent of potential damage, how the vulnerability is exploited and how it can be remedied.

The cyber-security announcements stem from a collaborative effort among the National Institute of Standards and Technology and the Presidents Critical Infrastructure Protection Board in addition to the GSA, SANS and the NIPC.

Related Stories:

  • Special Report: Bushs Cyber-Security Plan
  • PC Magazines Security Watch
  • Open Source: A False Sense of Security?
  • eWeek Labs: Open Source Quicker at Fixing Flaws