Wednesday, November 15, 2006

On New "SANS Top-20"

So, the new "SANS Top-20 Internet Security Attack Targets" (what used to be called SANS top 20 critical Internet vulnerabilities) is out and I again had a pleasure of contributing to it, just like I've done since 2003. The list looks much better than last year and, IMHO, does reflect "what to fear" pretty well... So, enjoy the list, briefly quoted below.
"Operating Systems
W1. Internet Explorer
W2. Windows Libraries
W3. Microsoft Office
W4. Windows Services
W5. Windows Configuration Weaknesses
M1. Mac OS X
U1. UNIX Configuration Weaknesses
Cross-Platform Applications
C1 Web Applications
C2. Database Software
C3. P2P File Sharing Applications
C4 Instant Messaging
C5. Media Players
C6. DNS Servers
C7. Backup Software
C8. Security, Enterprise, and Directory Management Servers
Network Devices
N1. VoIP Servers and Phones
N2. Network and Other Devices Common Configuration Weaknesses
Security Policy and Personnel
H1. Excessive User Rights and Unauthorized Devices
H2. Users (Phishing/Spear Phishing)"
And then act to fix the problems listed, of course!

Dr Anton Chuvakin