Check out the full version here.
The SANS Top 2007 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations.
For the lazier amongst us, here’s a quick overview of the key points:
- Operating systems have fewer vulnerabilities that can lead to massive Internet worms.
- There has been a significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications.
- Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations.
- Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year.
- The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!
- Attackers are finding more creative ways to obtain sensitive data from organizations. Therefore, it is now critical to check the nature of any data leaving an organization’s boundary.
The operating systems are more secure, yet the focus of malware is upon the clientside. The attackers have become more creative. Thinking about fast flux, the storm botnet, etc… Where the configurations aren’t that creative as the default configurations still provide “easy access” to the -outsiders-. Technology hasn’t been sleeping, your home has become wordly, but keep your security trend likewise. Don’t forgot that usb keys, (stolen) laptops, blackberries, … and so on, also contains sensible corporate data.
Don’t simply blame the vendor (f.e. Microsoft), but also blame yourself for not keeping up the pace!