SANS/FBI's Top 20 Network Threats

October 2, 2002 SANS/FBI Names Top 20 Network Threats By Jim Wagner The SysAdmin, Audit, Network, Security (SANS) Institute, in conjunction with the Federal Bureau of Investigation (FBI) updated its Top 20 list of security threats.

by Jim Wagner of internetnews.com [October 3, 2002]

The list from SANS/FBI, which "is especially intended for those organizations that lack the resources to train, or those without technically-advanced security administrators," names security threats that are relatively easy for a would-be cracker (a Black Hat hacker) or script-kiddie to exploit running a port scanner. These scanners list the software and version used on the network and then create a blueprint they can use as they look for weaknesses.

Knowing the software version, for example, a cracker can run scripts aimed at known flaws in the application, giving them back-door access to the entire network, including personal information, passwords, or even the ability to wreak havoc by flooding the network with denial of service (DoS) or distributed DoS attacks.

Here is the most current Top 20 list of security weak spots:

Windows

• Internet Information Services (IIS),
• Microsoft Data Access Components (MDAC)
• SQL Server,
• NETBIOS,
• anonymous logon—null sessions,
• LAN Manager Authentication,
• General Windows authentication,
• Internet Explorer (IE),
• remote registry access,
• Windows scripting host.

  Unix

• Remote Procedure Calls (RPC),
• Apache Web Server,
• Secure shell (SSH),
• Simple Network Management Protocol (SNMP),
• File Transfer Protocol (FTP)
• R-Services—trust relationships,
• Line printer daemon (LPD),
• Sendmail,
• BIND/DNS,
• General Unix authentication

Officials recommend network and system administrators concentrate their resources on the above list immediately before any other network fixes. They said disabling the network service, upgrading to the most recent version and applying a cumulative patch are the best quick-fixes to potentially leaky networks.

Officials realize many IT departments in smaller firms—as well in major corporations—around the U.S. have been slow to patch its networks, either because they are under-funded or just unaware of the latest threats.

Private and public companies, as well as government agencies, took part in gathering the list of most-damaging network threats. Security companies like Qualys, Symantec, and Internet Security Systems comprised one testing group, while another group made up of actual corporations or government agencies comprised the other. Each group came up with a list of the most damaging vulnerabilities.

— End