The top three vulnerabilities of the Microsoft Windows operating system (OS)—in order—are Web servers and services, workstation service and Windows remote-access services, whereas the top three vulnerabilities for UNIX and Linux are the BIND domain name system (DNS), Web server and authentication, according to a study recently released by the security-oriented SANS Institute. The list, available at the organization’s Web site, was put together by experts from government agencies in the United Kingdom, the United States and Singapore; leading security software vendors and consulting firms; some of the top university-based security programs; and SANS.
“I agree with the ranking on low-level technical groupings, but it’s less from a technological basis than it is from a market understanding,” said Chuck Adams, chief security officer of Austin, Texas-based NetSolve Inc., which delivers remote management services for IT infrastructure. “There’s literally tens of thousands of these single-point vulnerabilities. They continue to show up in these operating systems and applications and information technology systems of any type.”
The vulnerabilities listed in the survey directly correlated with rate of use, Adams said. “Web servers and services being ranked number one (for Windows) isn’t surprising to me. It’s sort of a frequency assumption that we’ll see more vulnerability issues or challenges with a more extensively used operational capability.”
Adams added that the biggest vulnerability any OS user faces today is not technical in nature, but rather is based on a general mindset about IT security. “There’s a macro-level vulnerability in Corporate America and the private consumer base alike, and that is the absence of security concern,” he said. “I view that as a philosophical vulnerability, more on a macro level, than the technical vulnerabilities that are identified.”
Part of the problem is that many of the most eye-catching features in operating systems also are the most vulnerable. Technology developers and vendors have put information security almost entirely in the hands of consumers, who often use highly susceptible applications they don’t even really need. Adams recommended users evaluate every aspect of the system they’re using. “Actually walk through that process and say, ‘That’s a cool feature. I can enable it, but should I enable it?’”
Adams also had suggestions for organizations in assessing and responding to vulnerabilities, which evolve and often have multiple variations of the same basic thing. “Our historic posture has been to try and keep up with that through regimented and real-time patching processes, or trying to get the patching processes as close to real time as you can. As soon as you have a vulnerability, you have to apply the work around the fix. That’s a very preventive posture. We need to think of security management as a methodology, using the infrastructure as a system to be able to enact that methodology.” Adams advocates a three-pronged approach, which begins with measuring for attack prevention; then moves toward balancing those preventative actions with the need to monitor for deviation; and finally takes a real-time response against legitimate and valid threats that try to exploit vulnerabilities.
For more information, see http://www.sans.org/top20/.