Thursday, December 20, 2007

SANS Top20 in 2007: What's The Verdict?

SANS Top20 for 2007 was out for a while and it already gathered a lot of interesting responses. See some comments here, here ("sans top 20 has lost its flavor"?)

So, did we do a good job this year? Can we? Has the job become impossible? How can we make it better next year? Should we continue doing it? Or is "everything" really the answer? (as in SANS Top1 Risk "Everything!")

1 comment:

Unknown said...

You know, those are good questions. I hesitated in putting my thoughts about the top 20 up only because I really had no useful constructive suggestions on how to fix it.

The biggest thing(s) I don't like:
1) Not very actionable...but then again, what is actionable? Were previous ones actionable? Sure, and so are today's, but they're just not focused on, say, one app or one vulnerability. These days common practices would make a listing of exact vulns pretty moot as we'd have all patched already.

2) Way too all-inclusive. Maybe this is the real problem. Rather than a top 20, it turned into "here's everything you'll ever worry about in a digital security world, and we'll slice them into 20 categories." Whole books can and have been made about various single items or groups of items in that list, which really takes away from the "Top" part of the Top 20.

I would like to see more exacting issues, things especially pertinent or new to 2007. Storm worm shouldn't be a footnote in one section (P2P), but rather an amazingly important issue. It breeds two needs. First, how do you protect against a botnet being leveled against you? Second, how do you detect/prevent your own people's PCs from participating? And as an offshoot, can user education extend outside the office and into user homes to help reduce the number of home-based bot casualties? These can be actionable, are relevent directly to 2007 (and maybe beyond and prior), and not so general. As it is, you may as well brand that report 2008, 2009, 2010 right this list won't change (barring new technologies).

Of course, that doesn't address how some people may be using the Top 20 list. Are people using it as the de facto To Do List for their security department? If so, is it wise to be so narrow and ignore the other Lesser 20 (+) risks?

And what about real categories that make sense, like vulns in various AV products? Were any single ones more prevalent than others? Maybe, but should the Top 20 include Symantec but avoid McAfee/Avast/etc? That could be just as bad as people saying, "ooo Symantec bad, we're going with XYZ because they're not in the top 20!" Blech!

Dr Anton Chuvakin