The hundreds of new vulnerabilities discovered each month could leave system administrators' heads spinning, but a new list by Internet Security Systems Inc. will offer some guidance on the issue.
Dubbed the Catastrophic Risk Index (CRI), the list includes 31 exploitable vulnerabilities that companies should focus on. The number of items on the list can increase or decrease over time as threats develop. "With 200 or 300 new vulnerabilities coming out a month, it's hard to know where even to start to fix them," said Chris Rouland, vice president of ISS' X-Force.
Of the 31 flaws on the CRI, 29 are buffer overflows. About 58% of the vulnerabilities are found in commercial software compared with 19% in open-source applications. The flaws are found in a variety of software including Web servers, enterprise resource planning (ERP) applications and database servers. For example, the buffer overflow in the Sendmail address parser made the list. So did the Windows 2000/XP PPTP packet buffer overflow.
The list, which will be updated quarterly, is available to the public on the ISS Web site.
Rouland doesn't see the CRI as a competitor to other security vulnerability lists, such as the SANS/FBI Top 20 Internet Security Vulnerabilities List. In fact, items from that list are included in the CRI, he said.
"We felt companies needed a way to quickly access risks that could be catastrophic to their organizations," Rouland said. The SANS/FBI list tends to focus more on general technologies, such as Microsoft's Internet Information Services, and on policy issues, such as the enforcement of rules about appropriate password length.
"Our index lays off discrete items to fix," Rouland said. "In other words, it offers the [security] practitioner a menu of remotely exploitable vulnerabilities to address."
All 31 items on the CRI are remotely exploitable flaws. Lesser vulnerabilities that could allow denial-of-service attacks are not included. All vulnerabilities on the list have exploit code associated with them. ISS gauges whether to put a flaw on the list by looking at how much it's being exploited. In other words, a flaw that looks really bad in the lab but which isn't being exploited in the wild probably wouldn't be on the list, Rouland said.
The market penetration of an application or platform also influences whether a vulnerability appears on the list. Generally, a flaw that occurs in less popular software, even if it were very severe, probably wouldn't make the list. "The hackers think the same way. They go after the software with a lot of market penetration," Rouland said.
FOR MORE INFORMATION:
FEEDBACK: Are lists like this one helpful to system and network administrators?
Send your feedback to the SearchSecurity.com news team.