FBI, SANS update list of systems vulnerabilities

FBI, SANS update list of systems vulnerabilities

The FBI's National Infrastructure Protection Center and the SANS Institute of Bethesda, Md., have updated their list of the top vulnerabilities for Windows and Unix systems, and announced that five companies have released tools to scan for them.

Sallie McDonald, the Federal Technology Service's assistant commissioner for information assurance and critical infrastructure protection, also said FTS expected to award a contract this week for a patch management service to help IT administrators keep systems up-to-date. The service will notify subscribing agencies of new vulnerabilities specific to their systems and what protective actions to take. Users also will be alerted when patches for the problems are available, but the service will not download patches automatically.

The contract will be awarded by the Federal Computer Incident Response Center, and the service will be free to subscribers.

Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, said the vulnerabilities list represents a common consensus by experts in and out of government on the most commonly exploited weaknesses in computer systems. He said focusing on these problems is an effective way to close loopholes.

'People do use known vulnerabilities,' he said. 'Look at your systems the way an attacker would look at it.'

Last year's list was expanded from 10 to 20 vulnerabilities and was separated into categories for Microsoft Windows, Unix and general. This year's list is divided into only Windows and Unix. It has consolidated some entries from last year's list, removed others and added a few. The vulnerabilities usually are listed as services, each of which may contain a number of weaknesses.

New in this year's list are Microsoft's SQL Server, Internet Explorer and remote registry access for Windows platforms; and the Apache Web server, Secure Shell and File Transfer Protocol for Unix.

The overall list of top vulnerabilities for Windows:

1. Internet Information Services

2. Microsoft Data Access Components

3. SQL Server

4. NetBIOS'unprotected Windows networking shares

5. Anonymous logon'null sessions

6. Weak hashing in LAN manager authentication

7. Weak passwords for general Windows authentication

8. Internet Explorer

9. Remote registry access

10. Windows Scripting Host

For Unix:

1. Remote procedure calls

2. Apache Web Server

3. Secure Shell

4. SNMP

5. STP

6. Trust relationships in remote services

7. Line printer daemon

8. Sendmail

9. BIND/DNS

10. Weak passwords for authentication

Many companies have developed tools or services that will scan for these vulnerabilities. Alan Paller, director of research for the SANS Institute, said the tools will be updated at least monthly for new problems with the vulnerable services.

Commercial scanners for top vulnerabilities are available from Foundstone Inc. of Mission Viejo, Calif., and Internet Security Systems Inc. of Atlanta. Open-source software scanners are available as free downloads from Advanced Research Corp. of Vienna, Va., at www-arc.com, and the Nessus Organization at www.nessus.org. Qualys Inc. of Redwood Shores, Calif., offers a free Web scanning service at sans20.qualys.com.

Details on the vulnerabilities are posted at www.sans.org/top20.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • Phishing

    Phishing is still a big problem, but users can help shrink it

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group