SANS Institute releases a new Top 20 list of Internet vulnerabilities

SANS Institute releases a new Top 20 list of Internet vulnerabilities

America's war on terrorism will produce a cyber backlash, the State Department's CIO warned.

'When the attack starts, you're going to see some of these terrorist countries striking back from cyberspace,' said Fernando Burbano, who also is assistant secretary of State for IRM.

That is bad news for systems administrators already struggling against the recent onslaught of Internet worms, said Alan Paller, director of research at the SANS Institute in Bethesda, Md.

'The Internet is not ready to withstand a major attack,' Paller said at a news conference for the release of SANS' updated list of the most critical security vulnerabilities. The list, which expands last year's top 10 vulnerabilities to 20, accounts for the majority of successful hacker attacks, he said.

The list is a cooperative effort of industry and government security experts. The threats are in three categories: those affecting Microsoft Windows systems, Unix systems and all systems. Paller said none of last year's top 10 vulnerabilities have been retired. Details of the vulnerabilities can be found at the SANS Web site, at www.sans.org.

General:
  • Default installation of operating systems and applications

  • Weak passwords

  • Incomplete backup of data

  • Unneeded ports left open

  • Packets not filtered for correct incoming and outgoing addresses

  • Incomplete logging of network activity

  • Vulnerable Common Gateway Interface programs.


  • Windows:
  • Vulnerability in the Unicode Standard allowing Web servers to be hacked through a faulty URL

  • Internet Services Application Programming Interface buffer overflows

  • Internet Information Server Remote Data Services exploit

  • Unprotected networking shares

  • Null session connections

  • Weak default password protection in LAN Manager.


  • Unix:
  • Buffer overflow in remote procedure call services

  • Sendmail vulnerabilities

  • Berkley Internet Name Domain weaknesses

  • R command weakness for connecting to remote systems

  • Remote print control daemon

  • Sadmind and mountd buffer overflows

  • Default Simple Network Management Protocol settings.

  • About the Author

    William Jackson is a Maryland-based freelance writer.

    inside gcn

    • analytics (Wright Studio/Shutterstock.com)

      3 data strategies to help crackdown on internal corruption

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group