Friday, October 22, 2021

SANS Lists Top 20 Critical Vulnerabilities

Critical software vulnerabilities are increasing being found — not in

the operating system — but in applications and major databases.

The information comes out of a new quarterly report, the Top 20 Internet Security

Vulnerabilities from the SANS Institute, a major source of security

training and certification based in Bethesda, Md. Analysts from SANS had

been releasing the report annually. This is the first of what will become

quarterly releases, according to Alan Paller, director of research at the

SANS Institute.

”Along with help from the FBI, the White House and the British

government, we had done the Top 20 list annually since 2000,” says

Paller. ”We do it to give people a targeted list of vulnerabilities that

really need to be corrected. Recently, we’ve been getting a lot of

reports that people and their auditors have been using the Top 20 as a

bench mark to make sure they’re closing the right vulnerabilities, and we

decided that annually wasn’t frequent enough.”

And Paller says what he found most interesting about this first quarterly

report is the number of bugs being found in applications.

”The most interesting thing about the list is the number of bugs that

are not in operating systems, but are in databases, security products and

storage products. That’s a major trend that started 18 months ago and it

has accelerated. Virus writers used to attack just the operating system

and now they’re attacking higher up.”

Products from Microsoft, Symantec, Computer Associates and ITunes all

have made the SANS list. A SANS spokesperson notes that if the listed

vulnerabilities go unpatched, companies face a ‘heightened threat that

remote, unauthorized hackers will take control of their computers and use

them for identity theft, industrial espionage or for distributing spam or

pornography’.

”These critical vulnerabilities are widespread and many of them are

being exploited, right now, in our homes and in our offices,” says

Paller. ”We’re publishing this list as a red flag for individuals, as

well as IT departments. Too many people are unaware of these

vulnerabilities, or mistakenly believe their computers are protected.”

Paller says he is disturbed by the number of vulnerabilities being found

in security products.

”They need to do better,” he adds. ”The problem with the risk in the

security applications is that when an attack takes over a computer using

an application, it gets the rights that the security application has, and

security applications have very high rights. If you use a virus checker

to take over the computer, you have more power than if you use a word

processor.”

Similar articles

Latest Articles