SANS Top Twenty Internet Security Vulnerabilities for 2003
Information Note Number: IN03-004
8 October 2003
Purpose
OCIPEP is releasing this Information Note to bring attention to the publication of the SANS Institute's "Top Twenty" Internet Security Vulnerabilities for 2003.
Audience
This information note is primarily intended for Canadian critical infrastructure owners and operators, in particular their network security administrators and cyber security personnel.
Information
The US Department of Homeland Security (DHS), the UK National Infrastructure Security Co-ordination Centre (NISCC), and OCIPEP, along with the SANS Institute today announced the 20 Internet security vulnerabilities most often exploited by hackers. This "Top Twenty" has been updated substantially from last year's list, adding new vulnerabilities and removing some that are no longer prevalent.
The full list of the Top Twenty vulnerabilities and related material can be viewed at www.sans.org/top20/
This updated Top Twenty list is actually two Top Ten lists: the 10 most commonly exploited vulnerable services in Windows, and the 10 most commonly exploited services in Unix and Linux. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these 20 vulnerabilities. Windows operating systems are used on approximately 90 percent of the world's computers, while Unix and Linux are used on approximately eight percent. A report released by the network security firm mi2g on 1 November 2002 reported that approximately half of the network vulnerabilities discovered for the calendar year 2002 emanated from Microsoft software, while approximately a fifth of the vulnerabilities were believed to be related to Linux and Unix operating systems and related software[1].
The document also includes a list of those ports most commonly probed and attacked and recommends a series of best practices for configuring corporate and network firewalls.
Each entry into the Top Twenty list contains analysis on the architecture of the vulnerability and the potential exploits, the affected operating systems, how users can identify their own vulnerability and the necessary corrective actions.
The Top Twenty list includes a number of serious vulnerabilities which OCIPEP has highlighted in its Alerts, Advisories and Information Notes during the same analysis period (for notable entries see Table 1.0).
| Windows Operating System |
UNIX / LINUX |
1. Microsoft SQL Server (MSSQL)
|
1. Open Secure Sockets Layer (SSL)
- OCIPEP Alert AL03-011
- OCIPEP Advisory AV03-044
|
2. Microsoft Internet Explorer (IE)
- OCIPEP Advisory AV03-038,
AV03-38a
- OCIPEP Alert AL03-012
|
2. Sendmail
|
3. Internet Information Services (IIS)
|
|
Table 1.0 -- OCIPEP Operations products related to vulnerabilities listed in the "Top Twenty"
Other notable entries include assessments of password protection practices in both the Windows and Unix environments, an analysis of the vulnerability stemming from insecure remote user access privileges and the vulnerabilities inherent in peer-to-peer (P2P) file sharing environments.
Conclusion
Through concerted awareness raising and the effective exchange of information, many of these vulnerabilities can be counteracted. OCIPEP recommends that network security administrators examine the list and ensure that all their security protocols are up-to-date and that their systems are adequately patched.
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca