CIOs and security executives are desperately playing catch-up with unauthorized users of IM and P2P clients, who are sharing music files and videos on company time, and with company resources.
The software, which individuals are downloading and installing from sites such as Download.com, is exposing enterprises to lawsuits from legitimate copyright holders, a cybersecurity expert said Friday. It's also baring desktops to hackers snooping for competitive secrets and other information, said the expert, Ross Patel, coordinator of the SANS Institute's 20 Most Critical Internet Security Vulnerabilities annual reference list.
IM and file-sharing top the list. The SANS Top 20 also faults certain Web server and e-mail client configurations, and targets Microsoft SQL Server and Windows authentication for special scrutiny.
The SANS Top 20 lists 10 Windows and 10 Unix vulnerabilities, including those associated with the Unix's Simple Network Management Protocol and Open Secure Sockets Layer.
The list does not rank the threats according to their severity. Instead, the Top 20 is an experts' consensus of the most immediate vulnerabilities facing security executives, Patel said.
SANS formulated the list with input from security vendors, enterprise security executives, university researchers and cybersecurity experts at the U.S. Department of Homeland Security, the FBI, and other U.K. and Canadian agencies.
While MSSQL and Windows authentication are among the usual suspects to make the SANS Top 20 this year (it notes that user accounts often have weak or nonexistent passwords, for example), IM was new to the list.
Attack scenarios for IM vulnerabilities include file transferring vulnerabilities and Active X exploits, the report said.
File-sharing applications, such as Kazaa, which last year made the list "by the skin of their teeth," are included this year "as a core concern, and by an almost unanimous decision," Patel said.
The SANS expert panel was concerned by the increased adoption of file-sharing software and security execs' lack of understanding of the P2P phenomenon, Patel said.
File-sharing applications, as well as IM direct file transfers "are not just eating up bandwidth, they are opening up an unsolicited communications stream into the network," Patel said.
The Top 20 recommends that security executives enforce company policies against downloading copyrighted material and monitor networks for P2P traffic and address violations.
Antivirus software updates should also be performed daily, the report said, to guard against infected files that may enter the network via P2P clients.
The SANS Top 20 recommends changing the default settings of most of the applications on its list, which make networks vulnerable to hacker attacks.
While the SANS Top 20 can be a helpful framework for setting security policies, it takes day-to-day vigilance to fend-off viruses and hacker attacks, said Neil Rickert, a professor of computer science and a Unix administrator at Northern Illinois University.
"Annual lists are useful for those who want to have a general understanding of the threats," said Rickert, who was among the experts who reviewed the 2003 SANS Top 20 before its publication last year.
"But for people in the field who want to stop attacks," he said, "you have to be constantly on top of things."