[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] SANS Top 20 Report - Deja Vu
From: InfoSec News <alerts () infosecnews ! org>
Date: 2006-11-28 9:31:15
Message-ID: Pine.LNX.4.61.0611280330570.4655 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://osvdb.org/blog/?p=148
November 24th, 2006
I previously blogged about the SANS Top 20 List in a pretty negative
fashion. The list started off as the "Top 10 Vulnerabilities" and
quickly expanded into the Top 20 Vulnerabilities. Even last year (2005),
they were still calling it a "Top 20 Vulnerabilities" list when it
clearly had become anything but that. This year, SANS finally wised up
calling the list "SANS Top-20 Internet Security Attack Targets". Yes,
they are now listing the 20 most attacked "targets", not "exploited
vulnerabilities". With this change, does the list regain some of the
value it originally had and quickly lost? Lets look at the list:
Operating Systems
W1. Internet Explorer
W2. Windows Libraries
W3. Microsoft Office
W4. Windows Services
W5. Windows Configuration Weaknesses
M1. Mac OS X
U1. UNIX Configuration Weaknesses
Cross-Platform Applications
C1 Web Applications
C2. Database Software
C3. P2P File Sharing Applications
C4 Instant Messaging
C5. Media Players
C6. DNS Servers
C7. Backup Software
C8. Security, Enterprise, and Directory Management Servers
Network Devices
N1. VoIP Servers and Phones
N2. Network and Other Devices Common Configuration Weaknesses
Security Policy and Personnel
H1. Excessive User Rights and Unauthorized Devices
H2. Users (Phishing/Spear Phishing)
Special Section
Z1. Zero Day Attacks and Prevention Strategies
So if you run Windows, Unix or MacOS .. and/or have Web Applications,
Database software, allow P2P file sharing, allow IM messaging, have
media players (installed by default on most OSs), run DNS servers, run
Backup Software, run Security/Enterprise/DM servers .. and/or use VoIP
servers/phones or "network and other devices".. and/or have weak policy
governing user rights or dont prohibit certain devices and you actually
have users.. you have at least one of the "Top 20 Attack Targets". Wow,
is that ever so helpful. Oh, I forgot, failing all of that, "Zero Day
Attacks" are a top 20 attack vector.
Hey SANS, could you make a more overly vague and general security list
next time? Maybe for 2007 you could shorten it from the "Top 20" to the
"Top 1" and just list "C1: Have a computer type device". That would save
your analysts a lot of time and be just as helpful to the masses.
Seriously, ditch the list or go back to the basics.
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic