ISS Lists Security Risks

Internet Security Systems Inc. last week unveiled its first Catastrophic Risk Index.

Internet Security Systems Inc. last week unveiled its first Catastrophic Risk Index, a compilation of the 31 most serious current vulnerabilities and attacks.

The index is designed to give administrators a constantly updated quick-reference list of the issues that should be their top priorities in protecting networks. Not surprisingly, all but two of the vulnerabilities on the list are some form of buffer overflow.

Buffer overflows are far and away the most common security vulnerabilities plaguing commercial and open-source software. They come in many shapes and sizes and can be found in almost any kind of application, but the result is almost always the same: an attacker gets access to a critical application or server.

To qualify for inclusion on the CRI, a vulnerability must meet several criteria: be pervasive enough to affect almost all organizations across all industries; be a serious threat to the confidentiality, integrity and availability of critical data; be a potential cause of catastrophic business-system failure; and be highly susceptible to virus and worm creation. About one-third of the vulnerabilities on the list are found in open-source software packages, including OpenSSL, Sendmail and Snort. The remainder are problems in commercial applications, with Microsoft Corp. having the most entries on the CRI. Of the 31 issues listed, 12 were found in Microsoft products. The other commercial vendors with more than one flaw on the list are Sun Microsystems Inc. and PeopleSoft Inc., which have two each.

The CRI was developed by X-Force, the research team at ISS, which is based in Atlanta. The team plans to update the list on a regular basis so that it continues to reflect the current set of the most dangerous known vulnerabilities.

ISS officials said the company developed the CRI as a way to take some of the pressure off customers, which are inundated with information about new vulnerabilities and attacks every day.

"Our security team identifies and tracks 200 to 300 new vulnerabilities and threats each month, which is an enormous load for companies to keep up with while also focusing on their core business," said Chris Rouland, vice president of X-Force.