Monday, December 3, 2007

SANS Top 20

Every year SANSpublics the top twenty vulnerability of the year classified in different categories.This year:

Client-side Vulnerabilities in:
C1. Web Browsers
C2. Office Software
C3. Email Clients
C4. Media Players

Server-side Vulnerabilities in:
S1. Web Applications
S2. Windows Services
S3. Unix and Mac OS Services
S4. Backup Software
S5. Anti-virus Software
S6. Management Servers
S7. Database Software

Security Policy and Personnel:
H1. Excessive User Rights and Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and Removable Media

Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs

Network Devices:
N1. VoIP Servers and Phones
Zero Day Attacks:
Z1. Zero Day Attacks


In my opinion nothing happened; It's from many years that security land scape doesn't change. Client side vulnerabilities are more often browser vulnerability because browser like FireFox and IE are the most used client. On the other hand Web Application are growing up and not every developer is careful on security issues, so it's reasonable that it's still in the first Server Side Vulnerabilities. But..., actually I don't agree with the position of H1 and H2. My personal experience focused on security says that Phishing it's one of most important security problem of the current era. Preventing phishing means prevent security technical aspects and Social Security aspects; for the first lots of groups are working on with great results but for Social Security aspects the evangelist community is back yet. For this reason Phishing is one of the most important and used attacks. H1, is 'f course a really important problem but more fought during past security history; I believe that bounds of steps have been already done on this particular way, and for this reason not comparable with more recent phishing.

No comments: