DHS, allies seek to close the top 20 software holes

The Homeland Security Department today joined with its U.K. and Canadian counterparts to promote universal closing of the top 20 software vulnerabilities on the SANS Institute's annual list.

'We will only be successful through partnership,' said Sallie McDonald, DHS director of outreach for infrastructure protection, at the list's unveiling in Washington.

McDonald joined Steve Cummings, director of the U.K. National Infrastructure Security Coordination Centre and the Canadian Office of Critical Infrastructure Protection and Emergency Preparedness in calling on governments to 'draw a line on the sand.'

Allan Paller, research director of SANS in Bethesda, Md., said there has been about 50 percent turnover in the top 20 list since last year.

One reason half the list remained the same, he said, is that 'less than 50 percent of sites actually patch their known vulnerabilities.'

On the current list, Microsoft Windows' top vulnerabilities were in the company's Internet Information Services, Data Access Components, SQL Server and Windows peer-to-peer file sharing software. 'They are very widely used and have multiple holes,' Paller said.

On the Unix and Linux list, 'the security systems are the ones with the holes,' he said. 'Most sysadmins don't know that.'

Paller recommended requiring vendors to keep systems free of those vulnerabilities. He said the Virginia Polytechnic Institute and State University in Blacksburg has altered 600 contracts to require vendors to certify their products as free of the top 20 vulnerabilities.

Asked whether any federal agencies require similar assurances, McDonald said, 'There are no requirements in the federal environment. It's an interesting idea.' The Office of Management and Budget would establish such requirements, she said.

Paller said that Sandia National Laboratories now requires that before delivering software, vendors must configure it in accordance with National Security Agency benchmarks.

'There has been a massive shift at Microsoft,' Paller said, 'mostly caused by NSA.' He cited automatic security patching of Windows XP and 2000, and Windows 2003's configuration to NSA's hardening guideline.

He also recommended what he called the Nancy Reagan rule: 'Just say no' to connecting a client if it doesn't meet minimum security standards.

A problem, Paller said, is that a lot of commercial software won't run in a hardened environment. 'That's the reason systems don't get patched.'

In mentioning another security threat, Paller said that some spyware can now capture words spoken in an office where a PC has a microphone.

SANS' annual list has been a joint effort of SANS and the FBI. Paller said partnership couldn't continue this year because the FBI contingent that had helped develop the list was absorbed into DHS. But, he promised, 'We will recreate that relationship.'

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.