Standbys like Microsoft's Internet Information Services (IIS) Web server software and Unix-based Secure Shell protocol (SSH), along with newcomers like peer-to-peer file sharing and Open SSL, have been included in this year's list of the top 20 Internet security vulnerabilities, released Wednesday by the SANS Institute.
The list, broken up into the top 10 Windows and top 10 Unix vulnerabilities, is intended to help systems administrators navigate the sea of vulnerabilities they face on a daily basis.
Recently, some vendors have created their own vulnerability lists that try to mirror the threat landscape. The SANS list is a little different because it doesn't focus on specific flaws or worms. Instead, the list looks at services, applications and practices that can leave a company vulnerable. Its authors have also compiled a detailed analysis of how vulnerabilities affect each service.
"The list can be used as a benchmark to measure one's security against," said Gerhard Eschelbeck, vice president of engineering at Qualys Inc., a Redwood Shores, Calif.-based firm that offers a scanning tool for finding vulnerabilities. "There are 20 classes of vulnerabilities in the SANS list, which represent over 300 specific vulnerabilities," he said.
There are plenty of new vulnerabilities on the list, including Outlook and Outlook Express, in addition to Windows peer-to-peer file sharing and Open SSL.
Peer-to-peer sharing can open up companies to a host of legal and security issues. During the last year, there have been several vulnerabilities found in Open SSL, including a couple earlier this month.
Also included were Windows Remote Access Services, which include flaws in Remote Procedure Calls (RPC), which spawned the Blaster and Nachi worms this summer. RPC was also highlighted on the Unix list, as was Sendmail, the BIND Domain Name System and the Apache Web server.
Top Vulnerabilities to Windows Systems
1. Internet Information Services (IIS)
2. Microsoft SQL Server (MSSQL)
3. Windows authentication
4. Internet Explorer (IE)
5. Windows Remote Access Services
6. Microsoft Data Access Components (MDAC)
7. Windows Scripting Host (WSH)
8. Microsoft Outlook/Outlook Express
9. Windows peer-to-peer file sharing (P2P)
10. Simple Network Management Protocol (SNMP)
Top Vulnerabilities to Unix Systems
1. BIND Domain Name System
2. Remote Procedure Calls (RPC)
3. Apache Web Server
4. General Unix Authentication Accounts with no passwords or weak passwords
5. Clear Text Services
7. Simple Network Management Protocol (SNMP)
8. Secure Shell (SSH)
9. Misconfiguration of enterprise services NIS/NFS
10. Open Secure Sockets Layer (SSL)