2005's Top Security Vulnerabilities
by Jeff Patterson, MCSE, MCDBA, CDIA+, BOL Guru
On Tuesday, November 22nd the SANS Institute released its Top 20 Internet Security Vulnerabilities list for 2005. The good news: Aggressive patch management has helped stem operating system vulnerabilities. The bad news: Cyber criminals are now going after the applications that run on these systems and the network devices that support them.
For the already weary IS security officer, this means additional vigilance to insure that all components of your information systems are secure. A thorough review of you security policies, plans and procedures should be initiated to determine which of these vulnerabilities need to be addressed by your policies. Review your patch management policies and procedures to insure that every system is included from the operating systems and applications run on them, to the routers and firewalls, to company issued mobile devices and mobile phones.
The entire SANS Top 20 Internet Security Vulnerabilities list may be found at http://www.sans.org/top20/. Highlights of the list include:
Windows Services and Libraries: Security issues continue to be found in the core operating system services and files on Windows 2000, XP and 2003 systems. Aggressive patch management is key to fixing the issues as soon as they are discovered.
Weak Passwords: With the majority of networks still using single form authentication (user name and password), weak passwords remain a major issue. Review your security policy or password policy to insure that passwords are required to be complex and difficult to guess and that users are required to change passwords on a regular basis. Implement procedures to insure compliance with the policy. Passwords for servers, administrative accounts and services should be extremely complex and closely guarded. Follow the principles of least privilege and do not use your normal user account for administrative tasks.
Backup Software: During the past year security vulnerabilities have been discovered in nearly every popular backup utility. These vulnerabilities can be exploited to compromise the integrity of the backup system.
Anti-Virus Software: It's not enough that virus programs are designed to exploit operating system vulnerabilities, the new generation of virus writers are exploiting flaws in the very anti-virus software designed to protect us from them. Buffer overflow issues have been discovered in systems from Symantec, F-secure, Trend Micro, McAfee, Computer Associates, ClamAV and Sophos.
PHP-based Applications: With the majority of web applications running on Linux, Apache, PHP and MySQL, each week in the last year have seen vulnerabilities published for web sites running PHP.
Database Software: Databases form the basis of nearly all commercial applications and store large amounts of data. Cyber criminals are taking advantage of poorly designed web front ends and default installations of the database software with weak or no passwords for administrative access, and buffer overflow vulnerabilities to access, manipulate and delete the data contained therein.
File Sharing Applications: The distribution of file sharing applications continues to grow at an alarming rate. Many of these applications include spyware and adware, have little or no password protection, and leave wide open holes in a network's security structure that enable virus applications and other malicious software to gain access. In addition, illegally downloaded copyrighted material opens the organization to lawsuits.
Instant Messaging: A thorn in the side of network administrators, instant messaging can be an extremely useful tool inside the bank. However, these applications are full of security issues and offer little means to monitor and audit use. Use of these applications continues to contribute to the spread of virus applications, Trojans and other malicious software.
DNS: Published vulnerabilities in DNS remain. While none of the issues with DNS are new issues, the vulnerability still exists as an understanding of the role DNS plays in nearly every network is not complete and DNS servers remain in default configurations. Investigate the role that DNS plays in your network and implement procedures to harden the security around your DNS servers.
Unix and Unix Derivative Operating Systems: Unix, Linux and Mac OS are all being attacked by cyber criminals. Default or weak passwords, services that run on default ports, and unpatched systems remain vulnerabilities.
Internet Explorer, Mozilla, and Firefox: Vulnerabilities continue to be found in Internet Explorer. However, if you think you avoided these issues by switching your web browser to Mozilla or Firefox, think again. A large number of vulnerabilities have been discovered in each of these applications as well.
Routers, Firewalls and VPN Appliances: Cyber criminals have started to attack the software that runs the routers, firewalls and VPN appliances used to protect the network and route traffic between networks. Cisco, Juniper, CheckPoint and Symantec have all had exploits published in the last year.
Review the SANS Top 20 list, check your system for vulnerabilities, and update your security policies and procedures accordingly.
First published on 11/30/2005