The threat landscape painted in the latest SANS Top 20 may look a lot like it did last year and the year before, but IT professionals say it remains a relevant tool they can use to raise awareness and review whether existing security controls are adequate.
Even if security professionals are already well aware of what's in the SANS Top 20, "it is useful to point the trends out to others who may not be so aware, such as C-level personnel," said Brian Whitelaw, manager of information services for the City of London's Technology Services Division.
He was among 22 readers to write in after SearchSecurity.com's initial report noted how, after last year's list was released, some questioned if a SANS Top 20 was still worth doing.
Most said yes.
This year's report, released by the Bethesda, Md.-based SANS Institute last week, noted how the bad guys are preying on gullible users and flawed applications such as Web browsers and media players to break into company networks and steal sensitive data. In the bigger picture, the SANS Institute said it observed significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, office software, media players and other desktop applications; a continuing trend where users practice careless Web-browsing habits on work machines, increasing a company's overall risk; and Web application vulnerabilities in open source as well as custom-built applications that accounted for almost half the total number of vulnerabilities discovered in the past year.
Keith Fricke, data security administrator for the Cleveland Clinic in Ohio, wrote that he continues to find the list useful for several reasons.
"First," he wrote, "It is an authoritative enough source of information that I can share it with management when they ask what we benchmark against when we specify perimeter defense configurations and hardening specifications. Second, even if things aren't changing from year to year, that is still a trend worth knowing and good information to have. Third, when the top 20 does change, that is useful information as well because it may validate that protective measures in place are working for all those who take the list and do something with it."
If anything, the fact that the threats on the list haven't changed much in recent years indicates that the message isn't getting through, wrote David Kovarik, an IT and systems compliance director at Northwestern University. Therefore, he said, "To discontinue its publication would remove at least one component of security awareness that we find useful."
While no one suggests doing away with the SANS Top 20, some are skeptical that the masses will use it as intended.
John Kiser, CEO of Gray Hat Research Corp., wrote that organizations like SANS mean well. But he said the "harsh truth" is that a catastrophic event will probably occur before the masses are encouraged take security seriously.
"SANS rightly identifies training, a much-needed service which they happen to supply pretty well, as core to the solution stack," Kiser added. "That said, training is only a component, just as the cyber threats identified only represent one dimension or facet of security."