The Information Systems Audit and Control Association (ISACA) London Chapter

Aspiring to be the recognized global leaders in IT governance, control and assurance


Home  |  About Chapter  |  Board  |  Events  |  SIGs  |  CISA  |  CISM Publications  |  Resources
Academic Relations  |  Conferences  |  Jobs  |  Library  |  Various  |  AwardsContact   |  Feedback  |  Search

SANS/FBI Update Top 20 Most Dangerous Internet Security Weaknesses

2 October 2002

SANS and FBI representatives unveiled the third installment of the Top 20 List and announced the availability of free tools from Qualys, Foundstone and Internet Security Systems that search for vulnerabilities on the list.  Freeware, open-source scanners based on Nessus and Advanced Research Corp. tools are also available.

Read the Top 20 Vulnerabilities List here http://www.sans.org/top20

FBI lists 20 Most Dangerous Internet Security Weaknesses

2 October 2001

http://www.sans.org/top20.htm

In the wake of the nimda virus, the FBI, with the help of the Systems, Networking and Security (SANS) Institute, has released a list of the 20 most important Internet security vulnerabilities.  It provides a valuable reference because the majority of successful attacks on computer systems via the internet can be traced back to exploiting problems and unpatched vulnerabilities highlighted on the list.

These few vulnerabilities account for the majority of successful attacks, simply because attackers are optimistic, taking the easiest and most convenient route.  They exploit the best known flaws with the most effective and widely available attack tools.  They count on organisations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems.

The top 20 list is segmented into three categories: General vulnerabilities, Windows vulnerabilities and Unix vulnerabilities.

Top general vulnerabilities

  • Default installs of operating systems and applications

  • Accounts with No Passwords or Weak Passwords

  • Non-existent or Incomplete Backups

  • Large number of open ports

  • Not filtering packets for correct incoming and outgoing addresses

  • Non-existent or incomplete logging

  • Vulnerable CGI Programs

Top Windows vulnerabilities

  • Unicode Vulnerability (Web Server folder traversal)

  • ISAPI extension buffer overflows

  • IIS RDS exploit (Microsoft Remote Data Services)

  • NETBIOS - unprotected Windows networking shares

  • Information leakage via null session connections

  • Weak hashing in SAM (LAN Manager hash)

Top Unix system vulnerabilities

  • Buffer overflows in RPC services

  • Sendmail vulnerabilities

  • BIND weaknesses

  • Remote commands

  • LPD (remote print protocol daemon)

  • sadmind and mountd

  • Default Simple Network Management Protocol (SNMP) strings

Full details of the top 20 vulnerabilities, including a detailed description, systems impacted, vulnerability notifications, how to determine if you are vulnerable, and how to protect against it, can be found on the SANS site at http://www.sans.org/top20.htm
 

Home  |  About Chapter  |  Board  |  Events  |  SIGs  |  CISA  |  CISM Publications  |  Resources
Academic Relations  |  Conferences  |  Jobs  |  Library  |  Various  |  AwardsContact   |  Feedback  |  Search

Copyright © 2004.  Information Systems Audit & Control Association London Chapter.  All rights reserved.
Send mail to webmaster with questions or comments about this web site.
Last modified: 30/03/2005
Disclaimer and Privacy Statements  
Chapter Bylaws
Restricted Area