Government, industry unveil Top 20 Internet security vulnerabilities

A group of private-sector information technology security service vendors and experts joined federal officials Oct. 2 to announce the latest list of Top 20 Internet security vulnerabilities, along with new tools to test for and remedy those vulnerabilities. The Top 20 are the vulnerabilities most often exploited by hackers and other cyber criminals. Richard Clarke, cybersecurity adviser to President Bush, told agency IT managers: "In the past, it was too hard to find [vulnerabilities] or determine which ones are most important. Now you'll have a list ? and a way of finding them quickly."The list was unveiled by the FBI's National Infrastructure Protection Center, the General Services Administration Federal Computer Incident Response Center and the SANS Institute, a Bethesda, Md., research and education organization. The list, available at www.sans.org/top20, details vulnerabilities of Windows and Unix systems, such as Windows Internet Information Services and Unix Apache Web Server. The list also offers guidance on eliminating the vulnerabilities.The National Infrastructure Protection Center and the SANS Institute began releasing lists of top vulnerabilities about two years ago. Thousands of organizations used the lists, according to the institute. This year's list is different, however, because about 70 user organizations and vendors worked together to identify the top 20, said Alan Paller, director of research at the SANS Institute. The team first identified about 4,000 common vulnerabilities, Paller said. The large number of vulnerabilities means fixing the top 20 won't make systems completely safe, but it's the right place to start, because giving IT staff an endless list paralyzes them, Paller said.Focusing on a small number of vulnerabilities encourages action, Paller said. "Then you can move on to the next list," he told agency IT managers.The widespread agreement on the top vulnerabilities not only made possible better guidance for agency IT managers, but also development of new tools designed to test specifically for the 20 threats, Paller said. Officials of three companies announced new services designed to identify and eliminate the top 20 vulnerabilities: Foundstone Inc. of Mission Viejo, Calif., Internet Security Systems Inc. of Atlanta, and Qualys Inc. of Redwood Shores, Calif. Qualys is offering a free, Web-based network scan to detect and eliminate the top vulnerabilities. Internet Security Systems said it will release a component of its Internet Scanner application to target the top 20. Foundstone developed an optional setting within its FoundScan Enterprise Vulnerability Management System to target only the top 20. The General Services Administration later this week will announce a contract award for Internet security patch services, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection in GSA's Federal Technology Service. Under the contract, funded by GSA's Federal Computer Incident Response Center, registered agency users of the patch service will be notified about newly discovered vulnerabilities, advised on preventive measures and notified when and where patches are available, McDonald said.The service will be provided to federal agencies for free, McDonald said. McDonald said she did not yet know the cost of the service under the contract, but she said it would reflect the economies of scale inherent in providing a service governmentwide.Clarke warned agency IT professionals not to go public with a newly discovered system vulnerability before a patch has been developed and distributed, because doing so would alert hackers and put many more systems at risk. Instead, Clarke said, agency IT managers should tell FedCIRC and NIPC and work with the vendor to fix the problem."Don't embarrass [vendors] by going public. If NIPC and FedCIRC can't get their attention, if they still don't patch it, call me," Clarke said. "People tend to take calls from the White House."