Top 10 system security threats are familar foes

Top 10 system security threats are familar foes

Prioritize fixable weaknesses, SANS Institute's Alan Paller advises.

By William Jackson

GCN Staff

The top 10 threats to computer security have been around for years despite frequent software upgrades, a panel of 43 government and industry security experts said in Washington this month.

Unix vulnerabilities dating back a decade or more still account for a disproportionate number of system intrusions today, the panel said.

In 1996, for instance, hackers broke into the Justice Department's Web site and replaced the attorney general's photo with that of Adolf Hitler by exploiting a Common Gateway Interface vulnerability. CGI weaknesses are No. 2 on the top 10 list.

Other vulnerabilities range from highly technical flaws in the Berkeley Unix Internet Name Domain System, No.1, through which intruders can get administrative access to domain name servers, to weak passwords, No.8.

Everyone knows

The panel's recommended fixes for most of the vulnerabilities likewise are well-known: Use the most recent software releases, keep patches up to date, and shut down unneeded services and features.

The list grew out of an information security summit held by the White House in the wake of February's denial-of-service attacks against commercial Web sites.

Alan Paller, director of research for the SANS Institute of Bethesda, Md., said a key reason so many vulnerabilities remain unplugged is that administrators are overwhelmed. They need to prioritize and attack the worst vulnerabilities first, he said.

The panel of 43 security experts included representatives of the National Security Agency and Defense Department.

John Gilligan, chief information officer at the Energy Department and co-chairman of the CIO Council's committee on security, privacy and critical infrastructure, said the top 10 list would go out to all federal CIOs. He said he recommends that the CIOs circulate it throughout their agencies and require administrators to report back to them on progress at blocking the 10 threats.

'Why is it that we continue to have these problems?' Gilligan asked. The distributed client-server environment that has replaced centralized mainframe computing does make management more difficult, he acknowledged, 'but this is not a technical issue. It is a cultural issue at root.'

At Energy sites, scientists tend to take the term personal computer literally, he said. 'Users view [PCs] as their personal resources. This culture is not only prevalent, it is strong.'

Besides educating users, administrators have to seek support from senior managers, who generally do not understand the problem. 'Their eyes glaze over' at discussions of security, Gilligan said. 'We lose the ability to get their support.'

To keep administrators informed about security risks, the CIO Council is establishing a CIO Security Network, Gilligan said. The network will use the Federal Computer Incident Response Capability as the clearinghouse for security alerts and information.

FedCIRC will distribute information to the CIOs, who will distribute it to their agencies. Gilligan said the network will have a feedback loop through which those who receive information will report how they dealt with the alerts.

Gilligan said the CIOs want to define FedCIRC's role more clearly as the national clearinghouse for information security. The FBI's National Infrastructure Protection Center should focus exclusively on law enforcement, he said.

The full top 10 list, with detailed discussions about how to close the vulnerabilities, is on the SANS Web site, at

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.