Top 10 system security threats are familiar foes

Top 10 system security threats are familiar foes

By William Jackson

GCN Staff

The top 10 threats to computer security have been around for years despite frequent software upgrades, a panel of 43 government and industry security experts said recently in Washington.

Unix vulnerabilities dating back a decade or more still account for a disproportionate number of system intrusions today, the panel said.

In 1996, for instance, hackers broke into the Justice Department's Web site and replaced the attorney general's photo with that of Adolf Hitler by exploiting a Common Gateway Interface vulnerability. CGI weaknesses are No. 2 on the top 10 list.

Other vulnerabilities range from technical flaws in the Berkeley Unix Internet Name Domain program, No.1, through which intruders can get administrative access to domain name servers, to weak passwords, No.8.

Everyone knows

The panel's recommended fixes for most of the vulnerabilities likewise are well-known: Use the most recent software releases, keep patches up to date, and shut down unneeded services and features.

The list grew out of an information security summit held by the White House in the wake of February's denial-of-service attacks against commercial Web sites.


Prioritize fixable weaknesses, SANS Institute's Alan Paller advises.


Alan Paller, director of research for the SANS Institute of Bethesda, Md., said one reason so many vulnerabilities are unplugged is that administrators are overwhelmed. They need to prioritize and attack the worst vulnerabilities first, he said.

The panel of 43 security experts included representatives of the National Security Agency and Defense Department.

John Gilligan, chief information officer at the Energy Department and co-chairman of the CIO Council's committee on security, privacy and critical infrastructure, said the top 10 list would go out to all federal CIOs. He said he recommends that the CIOs circulate it throughout their agencies and require administrators to report back to them on progress at blocking the 10 threats.

'Why is it that we continue to have these problems?' Gilligan asked. The distributed client-server environment that has replaced centralized mainframe computing does make management more difficult, he acknowledged, 'but this is not a technical issue. It is a cultural issue at root.'

At Energy sites, scientists tend to take the term personal computer literally, he said. 'Users view [PCs] as their personal resources. This culture is not only prevalent, it is strong.'

Besides educating users, administrators have to seek support from senior managers, who generally do not understand the problem. 'Their eyes glaze over' at discussions of security, Gilligan said. 'We lose the ability to get their support.'

To keep administrators informed about security risks, the CIO Council is establishing a CIO Security Network, Gilligan said. The network will use the Federal Computer Incident Response Capability as the clearinghouse for security alerts and information.

FedCIRC will distribute information to the CIOs, who will distribute it to their agencies.

Gilligan said the CIOs want to define FedCIRC's role more clearly as the national clearinghouse for information security.

The full top 10 list, with discussions about how to close the vulnerabilities, is on the SANS Web site, at www.sans.org.

inside gcn

  • A framework for secure software

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above