Teaming up against cyberthreats

Top 20

A new list of the top 20 computer security vulnerabilities comes with a little help this year, as the public and private sectors have teamed up to close the holes that cause the most problems.

The SANS Institute, the National Infrastructure Protection Center, the Federal Computer Incident Response Center and the head of the President's Critical Infrastructure Protection Board came together Oct. 2 to announce a new list of the top vulnerabilities in the Unix and Microsoft Corp. Windows environments. SANS and the NIPC released the first list last year.

Recognizing that threats and vulnerabilities are always changing in the information security world, the group is offering a free periodic update of that list, called the Critical Vulnerability Analysis.

The weekly-to-monthly update will include information on new vulnerabilities, new exploits for old vulnerabilities and the availability of new exploit code, which is usually the sign that attacks will increase because everyone has an easy way to take advantage of the vulnerabilities, said Vicki Irwin, head of the analysis team and engineering lead for the signature development team at TippingPoint Technologies Inc.

The Critical Vulnerability Analysis will not be a standard list like those sent by many organizations to warn of new vulnerabilities, said Alan Paller, director of research at SANS. Before being sent to systems administrators, the update will be examined by a board of representatives from 15 large, anonymous government and industry organizations. Those organizations will include information on how they dealt with the new vulnerabilities and exploits within their own networks.

This information will be key to help organizations handle vulnerabilities and threats before patches are developed and made available by software vendors. "This tells the systems administrators what really matters," Paller said.

In conjunction with the announcement of the list, five private-sector security vendors and groups announced new tools that are specifically aimed at detecting and handling the top 20 vulnerabilities until patches can be developed and applied.

These include a free Web-based scanning tool from Qualys Inc., new components for the enterprise solutions from Internet Security Systems Inc. and Foundstone Inc., and open-source solutions from the Nessus Organization and Advanced Research Corp.

The top 20 list does not cover all the vulnerabilities and threats in the computer world, officials said. "We don't think this is exactly perfect, but we think it's pretty close to optimal," said Jeff Campione, head of the public/private editorial team that worked on the list.

The point is to provide an easy, central way for the most basic problems to be fixed — problems that are the reason for most successful attacks and intrusions, Paller said. Once people have a good handle on this group of problems, they can move on to more specific vulnerabilities within their own networks, he said.