Security hit list set to evolve

A new and improved list of the top 20 basic security vulnerabilities provides agencies with a good place to start plugging their security holes, but it should only be one piece of a larger security strategy, experts say.

The list, released Oct. 2, prioritizes the top vulnerabilities in the Unix and Microsoft Corp. Windows environments that lead to most successful attacks and intrusions, said Richard Clarke, chairman of the President's Critical Infrastructure Protection Board.

The list also provides descriptions of problems, the systems affected by the vulnerabilities, how to test if network systems are affected and how to protect them.

The list is a good first step for all organizations to follow, said John Pescatore, vice president of network security at Gartner Inc. "Checking for these top 20 should be a minimum requirement," he said. "This is one of the better checklists out there."

The top 20 list does not, however, cover all of the vulnerabilities and threats in the computer world, officials said. "We don't think this is exactly perfect, but we think it's pretty close to optimal," said Jeff Campione, head of the public/private-sector editorial team that developed the list.

The goal is to provide an easy, central way to fix the most basic problems, said Alan Paller, research director at the SANS Institute. Next, organizations can move on to more specific vulnerabilities within their own networks, he said.

Applications are the entry point for the most damaging attacks, in terms of money, productivity and information, Pescatore said. So while the top 20 vulnerabilities will help keep out the standard hackers, "when you look at targeted attacks, you have to look at securing the applications level," he said.

The SANS Institute, the FBI's National Infrastructure Protection Center, the Federal Computer Incident Response Center and the Critical Infrastructure Protection Board together announced the list to emphasize the importance of raising the basic level of security at all organizations.

Recognizing that threats and vulnerabilities are always changing, the group will refine the list and offer free updates, either weekly or monthly, called the Critical Vulnerability Analysis.

The updates will include information on new vulnerabilities, new potential exploits of old vulnerabilities and information on the availability of new code for exploiting systems.

The appearance of new exploit code is usually a sign that the number of attacks will increase because everyone has an easy way to take advantage of the vulnerabilities, said Vicki Irwin, head of the update team and engineering lead for the signature development team at TippingPoint Technologies Inc.

Before being issued to systems administrators, the updates will be examined by a board of anonymous representatives from 15 government and industry organizations. Input will include information on how those organizations dealt with new vulnerabilities and exploits in their systems.

All of this information will be critical to help organizations handle vulnerabilities and threats before software vendors make patches available. "This tells the systems administrators what really matters," Paller said.

With 15 different examples, every organization should find at least one implementation that will help its own network, officials said.

However, there is a danger in revealing too much, Pescatore said. Also, despite standardization, every network configuration is different and every organization's needs are different, which will affect how vulnerabilities are dealt with, he said.