For the past four years the SANS Institute has partnered
with the FBI’s National Infrastructure Protection Center to compile and publish
its list of the most commonly exploited IT security vulnerabilities. This list
is regularly updated and revised. Earlier, I
examined the latest Windows threats from the list. Now I’ll cover the top 10
It’s important to recall that, unlike the ever-growing list
of new exploits found in operating systems and applications, the SANS-FBI list
prioritizes them according to the actual number of attacks seen by the
top Linux/UNIX threat continues to be the Internet’s most popular DNS
server software, BIND (Berkeley Internet Name Domain). Buffer overruns and
cache poisoning are common attack vectors, and the various exploits mainly
succeed because administrators fail to upgrade BIND to more secure
versions or are running the BIND daemon (“named”) unnecessarily—it
should not be enabled except on specified DNS servers. The BIND team is
quick to patch vulnerabilities so it’s the responsibility of
administrators to keep up with the patches if they choose to run BIND.
on the list is the generic Linux/UNIX Web server, which includes Apache
and other servers. Threat management mostly consists of updating to fix
newly discovered vulnerabilities. SANS recommends the use of open source
vulnerability scanners such as Nessus
or SARA to assist in security management.
You can also harden a Web server by removing all unused features and
software since this reduces the number of potential new vulnerabilities.
third-rated vulnerability is the password (and other authentication
methods). Weak user passwords, especially weak administrator-level
passwords, continue to plague the security of Linux/UNIX systems. Be
especially careful to identify and remove any default user accounts and
are version-control systems, specifically the most popular, Concurrent
Versions System (CVS) and Subversion, which have known vulnerabilities and
have anonymous access to online databases. The best defense is proper
configuration and frequent patching/updates.
services are the fifth most common attack vectors. Sendmail is still the
most widely used mail transport agent (MTA) on Linux/UNIX, and it has a
number of vulnerabilities. Qmail, Courier, Exim and Postfix are newer
alternatives with their own vulnerabilities. Frequent patching and proper
configuration are the best defense. One of the big problems is that
Sendmail is very complex, so simpler MTAs were created, while add-ons were
quickly developed and added to provide the functionality of Sendmail.
Since these are third-party enhancements, it is very difficult to track
new vulnerabilities in all of these add-ons.
should come as no surprise that a remote network management tool poses
considerable risks to networks, and SNMP, which is usually enabled by
default, comes in as the sixth most commonly exploited weakness. Disable
SNMP if possible; otherwise run SNMPv3 and make certain you keep SNMP 1
and 2 patched if you are forced to use those.
vulnerabilities in the OpenSSL encryption tool library makes this number
seven on the list. The best defense is a properly configured firewall and
a periodically patched version of SSL.
NIS and NSF Servers that haven’t been configured properly are the next
biggest threat. Patch, disable any unnecessary daemons, and beef up your
firewall to protect against this, the number eight threat.
are designed to be accessed but vulnerabilities can sometimes let remote
attackers exploit the open nature of these applications to piggy-back
their way into a network. Patching and proper configuration are the best
ways to combat this threat, which is rated number nine.
vulnerabilities round out the list at the tenth position. Protection is a
highly complex problem and specific to each vendor and version.
Although the two lists (Windows and Linux/UNIX) are each
listed in order of decreasing threat levels, there is no correlation between
the two lists; that is, there is no analysis provided as to which OS is more
secure or whether a vulnerability being sixth on the Linux/UNIX list is
responsible for as many successful attacks by percentage, as the number six
threat on the Windows top 10 list.
This is not a tool for determining which OS to use; rather,
it is a guide to know which threats deserve the most attention within each
category, so don’t read too much into the lists. If you use them the way they
are intended, then they can be extremely helpful.
Also watch for …
Microsoft’s lead, Oracle has announced that it will send out update
bulletins on a schedule, but Oracle will do it quarterly. Initially, this
has been set for 2005 as January 18, April 12, July 12, and October 18.
something changes, look for Microsoft to end support for NT 4.0 at the
close of 2004. That includes security hot fix updates and paid incident
support for Windows
NT Server. NT Workstation 4 support has already ended.