Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, November 27, 2007

Client, Application Flaws Top SANS Vulnerability List

There are two major problems with the security of computers: the people who use them and the people who write software for them.  That’s the takeaway from this year’s Top 20 Vulnerabilities report issued earlier today by the SANS Institute, a leading security certification and training organization.  While attacks are becoming more sophisticated, it is vulnerabilities on the client and applications sides that present the greatest opportunities for attack, the report states.

“Vulnerabilities on the client side have exploded over the last year,” says Rohit Dhamankar, senior manager of security research at TippingPoint and project manager for the SANS study.

One of the most critical vulnerabilities to computer security is “gullible, busy, accommodating computer users—including executives, IT staff, and others with privileged access—who follow false instructions provided in spear phishing emails, leading to empty bank accounts, compromise of major military systems around the world, compromise of government contractors, industrial espionage, and much more,” the report states.

The number three vulnerability on this year’s list is “critical vulnerabilities in software on personal computers inside and outside enterprises (client-side vulnerabilities) allowing these systems to be turned into zombies and recruited into botnets—and also allowing them to be used as back doors for stealing information from and taking over servers inside large organizations.”

Enterprises may not be able to solve these two problems entirely, but they can reduce the risk by limiting administrative privileges and restricting users’ ability to download and install applications, SANS says.

As it did last year, SANS put Microsoft Windows vulnerabilities among the most serious on the list, but it is home-grown applications that present the greatest threat, according to the report.

Posted on 11/27