Fixes Named Along With Top 20 Holes

Computerworld - A collaborative initiative by federal agencies and a group of private-sector security organizations last week yielded a target list of the 20 most hazardous Internet security vulnerabilities, along with specific products and programs designed to help companies eradicate them.

The list is the third compiled in as many years by The SANS Institute, a nonprofit security organization, and the FBI's National Infrastructure Protection Center. However, this year marks the first time that security vendors have offered product upgrades specifically targeting the vulnerabilities.

Bill Murray, a spokesman for the NIPC, said the top 20 list is based on what he called the 80-20 model. "It's the 20 vulnerabilities that are causing about 80% of the serious intrusions," said Murray. "The important thing is that now we have vendors that will allow people to actually test for these vulnerabilities," he said. "In the past, companies have been on their own."

Each of the top 20 vulnerabilities stems from software that shipped with one or more programming errors that, if left unfixed, allow hackers to gain remote access to systems.

Although the previous two versions of the Top 20 list were successful in focusing attention on the most common security holes exploited by hackers, they failed to get the results that The SANS Institute and other sponsors had hoped for, said Alan Paller, director of the institute, in Bethesda, Md. The lack of results was a byproduct of the unavailability of "commercial tools and, even more importantly, commercial services to allow people to focus on them," he said.

This year's list comes with specific product upgrades from Foundstone Inc. in Mission Viejo, Calif., and Internet Security Systems Inc. in Atlanta that target the new top 20 vulnerability list. In addition, Qualys Inc. in Redwood Shores, Calif., announced a free online scanning service that looks for the top 20 vulnerabilities without installing new software on an organization's network. Likewise, free open-source scanning products were made available from The Nessus Organization, an online security scanner project, and Vienna, Va.-based Advanced Research Corp.

"For the first time, organizations that do not have big security staffs can get at the top 20," said Paller. "The key is you don't have to have in-house expertise on running and tuning a scanner, and the upfront investment is small enough that everyone can do it."

The affordability of the scanning tools is a critical component of last week's announcement, said John Gilligan, CIO of the U.S. Air Force and co-chairman of the Federal CIO Council's Security Committee. "None of us can afford the cost of a continual race against would-be cyberattackers using the current find-and-patch approach to deal with latent vulnerabilities in commercial software packages," said Gilligan. "Simply the economic cost of this find-and-patch mode of operating is enormous."