The SANS Institute released its 2007 Top 20 threats list today (They still call it the Top 20, even though there are only 18 items on this year’s list), and the main takeaway is pretty much the same as last year: The bad guys are preying on gullible users and flawed applications such as Web browsers and media players to break into company networks and steal sensitive data.
In the bigger picture, the SANS Institute said it has observed:
— Significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, office software, media players and other desktop applications.
— A continuing trend where users practice careless Web-browsing habits on work machines, increasing a company’s overall risk.
— Web application vulnerabilities in open source as well as custom-built applications that account for almost half the total number of vulnerabilities discovered in the past year.
— Default configurations for many operating systems and services continue to be weak and continue to include default passwords.
— Attackers are finding more creative ways to obtain sensitive data from organizations.
During a conference call with reporters this morning, SANS Research Director Alan Paller and Rohit Dhamankar, director of the SANS Top 20 project and senior security research manager at TippingPoint, said the main lesson this year is that companies need to have more vigorous URL blocking and further restrict what users are allowed to do on company computers.
Looking over the details, I’m reminded of the reaction to the 2006 SANS threat report, when some questioned whether it’s still useful to even have these reports when the takeaway doesn’t change much from one year to the next. And so I reached out to several IT security pros this morning for some reaction.
I invite you to weigh in via the comments section in this blog. For now, here are some comments sent to me by email:
Cris V. Ewell, chief security officer of Seattle-based PEMCO Corp.: “In general, the report represents only the technical aspect of security and deals with the vulnerabilities in the applications and OS. This is not new, and while important, I expect the security engineers to deal with these types of issues on an ongoing basis. We have multiple systems to do vulnerability/threat/intrusion checks monthly, and mitigate the issues long before the Top 20 is published. The report is a good reminder of best practices that should be used in the enterprise, but there is nothing new in the report that would force me to change established practices and goals we have set for the company.”
Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif.: “What this gives is ammo to the administrator to lock down the browsing.”
Jeff Jarzabek, IT director for Oakbrook Terrace, Ill.-based Matocha Associates: “Do any of these specifically hit home at our company? No. Everything on the list except for the last 2 items is taken care of by educating your users. We have always told our users that if they suspect something is up, to notify a member of the IT staff. I think the SANS reports are now used mostly for raising awareness and as a reminder to some, myself included. I feel there is nothing new or shocking that most IT staffs shouldn’t already be doing considering the impact on the company if security is neglected.”
Gadi Evron, security architect for Afilias global registry services: “I believe this report reflects that indeed, client-side attacks are the danger most of us face today to our corporations being compromised, while agreeing that server-side attacks are once again on the rise by the use of web application vulnerabilities.”