News Stay informed about the latest enterprise technology news and product updates.

SANS Top 20 released, but is it still useful?

The SANS Institute released its 2007 Top 20 threats list today (They still call it the Top 20, even though there are only 18 items on this year’s list), and the main takeaway is pretty much the same as last year: The bad guys are preying on gullible users and flawed applications such as Web browsers and media players to break into company networks and steal sensitive data.

In the bigger picture, the SANS Institute said it has observed:

— Significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, office software, media players and other desktop applications.

— A continuing trend where users practice careless Web-browsing habits on work machines, increasing a company’s overall risk.

— Web application vulnerabilities in open source as well as custom-built applications that account for almost half the total number of vulnerabilities discovered in the past year.

— Default configurations for many operating systems and services continue to be weak and continue to include default passwords.

— Attackers are finding more creative ways to obtain sensitive data from organizations.

During a conference call with reporters this morning, SANS Research Director Alan Paller and Rohit Dhamankar, director of the SANS Top 20 project and senior security research manager at TippingPoint, said the main lesson this year is that companies need to have more vigorous URL blocking and further restrict what users are allowed to do on company computers.

Looking over the details, I’m reminded of the reaction to the 2006 SANS threat report, when some questioned whether it’s still useful to even have these reports when the takeaway doesn’t change much from one year to the next. And so I reached out to several IT security pros this morning for some reaction.

I invite you to weigh in via the comments section in this blog. For now, here are some comments sent to me by email:

Cris V. Ewell, chief security officer of Seattle-based PEMCO Corp.: “In general, the report represents only the technical aspect of security and deals with the vulnerabilities in the applications and OS. This is not new, and while important, I expect the security engineers to deal with these types of issues on an ongoing basis. We have multiple systems to do vulnerability/threat/intrusion checks monthly, and mitigate the issues long before the Top 20 is published. The report is a good reminder of best practices that should be used in the enterprise, but there is nothing new in the report that would force me to change established practices and goals we have set for the company.”

Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif.: “What this gives is ammo to the administrator to lock down the browsing.”

Jeff Jarzabek, IT director for Oakbrook Terrace, Ill.-based Matocha Associates: “Do any of these specifically hit home at our company? No. Everything on the list except for the last 2 items is taken care of by educating your users. We have always told our users that if they suspect something is up, to notify a member of the IT staff. I think the SANS reports are now used mostly for raising awareness and as a reminder to some, myself included. I feel there is nothing new or shocking that most IT staffs shouldn’t already be doing considering the impact on the company if security is neglected.”

Gadi Evron, security architect for Afilias global registry services: “I believe this report reflects that indeed, client-side attacks are the danger most of us face today to our corporations being compromised, while agreeing that server-side attacks are once again on the rise by the use of web application vulnerabilities.”

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think that it is beneficial to make note of top security threats such as Web vulnerabilities and unencrypted/lost laptops and removable devices. The problem is: This is not really new. The results from reports such as this annual one should be used to broaden the discussion and focus on newer, more proactive security practices that will combat these threats rather than just reporting on the threats themselves – we’re aware they exist, but more importantly, how can we stop them?
Whether the count is 18 or some other number, SANS has earned and continues to enhance its reputation for contributions to information security. Thoughtful users, managers and owners are well advised to examine each item on the list, consider the extents to which they are exposed and resulting risk levels and undertake -- or continue to pursue -- appropriate action. If any enterprise determines it is adequately protected from the SANS Top 20 or has implemented cost-effective measures to compensate for expectable losses, congratulations...and best wishes in addressing its own prioritized threat list.
The SANS Top Twenty is like any other security list that is being published today. The average CIO has become immune to the myriad of security threat listings. The only thing that seems to get the attention of CIO's is when it a major incident is published.
If the threat landscape hasn't changed significantly, they can only report on what are still the major vectors. That speaks as much to how little headway we are making in certain areas as anything else. The biggest issue I see is client side attacks are ramping up at an unbeleiveable rate, and user education and/or controls on the client side aren't happening. A thirty minute class once a year isn't going to change the mindset of the typical "that looks interesting I'll click on it" corporate user.
The SANS list is a valuable tool for me. Even if it hasn't changed much during the last few issues,the list reflects the current vulnerabilities. I have used this list to empower my arguments with management for budget dollars in areas such as end-user awareness and security training. I have also used it to argue effectively for some needed policies changes.
Keep in mind that the SANS Top 20 is supposed to be "20" items that account for 80% of successful attacks; i.e. the low hanging fruit. The real benefit of the Top 20 is that most vulnerability scanners as well as a number of SIEMs, and configuration management consoles support and test for the SANS Top 20 since it has been around for so long. With apologies to Richard Clarke, if you don't fix the Top 20 vulnerabilities you will be hacked and what's more, you deserve to be hacked.
This has nothing to do with helping the security industry. It is a way for SANS to make a whole lot of money off of Tippingpoint, and it is a way for Tippingpoint to get leads to sell product. Please note that SANS does very little in giving back free or useful information back to the community, and the prices for their classes are outrageously expensive to the profit of Paller, who owns this FOR PROFIT company. Do not let the .org fool you!