If an expert pointed to the top 20 security vulnerabilities in your network -- the ones that are responsible for the vast majority of attacks -- then told you how to correct them in a manner that would cost you next to nothing, wouldn't you trip over yourself to take the advice?

The SANS Institute, in conjunction with the FBI's National Infrastructure Protection Center (NIPC) -- two organizations that are chock full of security experts -- are doing just that. SANS and the FBI last week published their annual is of "Most Critical Internet Security Vulnerabilities." When it debuted two years ago, the list consisted of 10 vulnerabilities, but demand warranted an expansion to 20 last year and there it remains for 2002.

Apparently, though, word about the list isn't getting out very well, because nearly half of the items on this year's Top 20 were also on last year's list. If the same vulnerabilities are still being exploited, that means users either aren't jumping at the chance to implement the simple fixes the SANS/FBI list points to, or they simply don't know about the list. Consider this my small contribution to fixing the latter problem.


SANS notes that, while the list is valuable for any security organization, it is intended especially for those without vast advanced security resources, in terms of skills or budget. The list acts as a sort of lighthouse, pointing the way to the most serious vulnerabilities, giving direction to the many organizations who may feel overwhelmed -- or even "paralyzed" as SANS put it -- by the enormity of the security problem.

The Top Twenty is actually broken down into two Top Ten lists, one for Windows systems, the other for Unix. "Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty services," SANS says in the preamble to the list.

Security Guard Archives
The Need For Security -- And Ethics -- Education

Identity Management Combines Security, ROI

Who To Call About Computer Crime

CSI/FBI Security Survey: Questions Behind The Numbers

Experts Warn of Cyber Terrorist Attacks

Surviving the SNMP Vulnerability Scare

Is Bill Gates Sincere About Security?

Fixing most of the problems is simple. For some, you simply disable the offending service. Do you really need LAN Manager authentication, for example? Not if you're not using LAN Manager, which went out of vogue around the time the Beatles split up.

Others can be fixed with a simple patch. Think of it. You download a patch, apply it, and you've fixed maybe dozens of flaws that might show up on a vulnerability scan. Go take the rest of the afternoon off. You deserve it.

While patching vulnerabilities won't cure all your security ills, it will certainly help. SANS/FBI points to evidence at no less a source than the National Aeronautics and Space Administration (NASA), the folks who put golfers on the moon. (After last week's Ryder Cup, I'd like to send Sergio Garcia -- let him jump around like a clown in zero gravity and see what happens.) According to a case study available at the SANS Web site, NASA began attacking its 50 most serious vulnerabilities in the summer of 1999, using a standard suite of scanning tools to find them on its 80,000 computers at 10 major locations.

NASA established goals for eliminating vulnerabilities -- starting with no more than one per every four computers -- and turned quashing them into a friendly competition among the 10 centers. By the end of 2001, NASA was finding vulnerabilities at a rate of only one per every 147 computers. Over the same time period, the ratio of attempted attacks that proved successful improved three-fold. Draw your own conclusions.

Obviously NASA has a leg up on many organizations in terms of budget, but the SANS site lists products and services, some of them free, that can help you find the Top 20 vulnerabilities. Youll find that list as well as the Top 20 at: http://www.sans.org/top20. SANS also this week released a $49, 86-page guide to securing Cisco routers. Go to http://store.sans.org and click on "Consensus Guides."

Paul Desmond is president of Paul Desmond Editorial Services, an IT publishing firm in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at paul@pdedit.com.