Since 2000, The SANS (SysAdmin, Audit, Network, Security) Institute has maintained a list of what it considers to be the vulnerabilities that administrators should be most aware of. The list can be looked at as a summary of concerns to address if you don't have time to immediately address all known vulnerabilities in the universe. The reason you might use the Top 20 List as your short list is that typically the most critical vulnerabilities are the ones used by intruders to launch attacks--which often turn out to be widespread.

This week, SANS published the annual version of its SANS Top 20 Most Critical Internet Vulnerabilities list. The list is divided into sections that cover problems related to Windows platforms, Unix platforms, cross-platform products, and networking products. According to Rohit Dhamankar, project manager for the SANS Top 20 (and lead security architect at 3Com division TippingPoint), "Vulnerabilities on this list meet four requirements: (1) they affect a large number of users, (2) they have not been patched on a substantial number of systems, (3) they allow computers to \[be\] controlled by a remote, unauthorized user, (4) sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them."

If you look at the report, you might think "Top 20" is a bit of a misnomer. The report has 20 categories of vulnerabilities, and in any given category, you might find 10 or more individual vulnerabilities. Thus, the Top 20 report includes dozens upon dozens of critical vulnerabilities. For example, vulnerabilities in the PHP scripting language might expand into countless application vulnerabilities. In another example, peer-to-peer (P2P) file-sharing software is cited as a vulnerability. How many different types of P2P software are there these days? I lost count some time ago.

You're probably getting the picture: The report isn't exactly a guide to quickly fixing the top 20 vulnerability problems. That said, it does reveal some of the major vulnerability trends of this year.

SANS says that in the past, the majority of attacks targeted Windows, UNIX (I assume they include Linux in the UNIX category), Web services, email services, and similar Internet services. However, this year, a different trend has emerged. According to SANS, more attacks this year have been aimed at critical core services, such as backup applications, antivirus software, and "other security tools." Another trend pointed out in the report "is public recognition of the critical vulnerabilities that are found in network devices such as routers and switches that form the backbone of the Internet."

As for Windows platforms, the report points out 11 critical vulnerabilities in system services, 10 in Microsoft Internet Explorer (IE), 11 in various system libraries, 3 in Microsoft Office and Outlook Express, as well as the risk of using weak password schemes in the OS and related services, such as SQL Server. That's at least 32 vulnerabilities plus an entire password infrastructure to address.

Hopefully, you've addressed all these problems as they've become known to the public over the past year. If not, the quickest way to find out if you're vulnerable to most of the items in the report is of course to use a decent vulnerability scanner. Be sure to check the report (first URL below) to determine whether it mentions vulnerabilities that you haven't addressed that might affect your network. You can also check out our news story on the SANS Top 20 list on our Web site (second URL below).

http://www.sans.org/top20/

http://www.windowsitpro.com/Article/ArticleID/48526/48526.html