Top 20 security flaws revealed

Businesses, vendors and individual computer users could stop most viruses and cyber attacks spreading by fixing a small number of common technology flaws, according to research.

Viruses, spam and distributed denial of service attacks could all be reduced by patching a number of common vulnerabilities found in Windows and Unix systems, says the government-backed Sans Institute.

The study, which includes contributions from the UK's National Infrastructure Security Co-ordination Centre and the Cabinet Office's Central Sponsor for Information Assurance (CSIA) department, found instant messaging, internet browsers and web services were among the most common threats.

'Every day there are new vulnerabilities, new hacks and new exploits,' said CSIA director Stephen Marsh.

'Most people would use commercial off-the-shelf products if they were secure, and it is our job to make it easier.'

But Sans Institute Director, Alan Paller, told Computing that although companies needed to protect against the flaws, many of the related information security risks and costs could be removed if businesses put the onus on vendors to test systems before roll-out.

'The main thing to start thinking about right now is saying to your procurement department "We won't accept technologies with vulnerabilities",' said Paller.

Last month, Gartner also told Computing that businesses should put more pressure on vendors to remove security flaws before products are launched.

The analyst firm predicted that a 50 per cent reduction in software vulnerabilities before shipping could remove 75 per cent of configuration management and incident response costs incurred by businesses.

Top Vulnerabilities to Windows Systems

*Web Servers & Services

*Workstation Service

*Windows Remote Access Services

*Microsoft SQL Server (MSSQL)

*Windows Authentication

*Web Browsers

*File-Sharing Applications

*LSAS Exposures

*Mail Client

*Instant Messaging

Top Vulnerabilities to UNIX Systems

*BIND Domain Name System

*Web Server

*Authentication

*Version Control Systems

*Mail Transport Service

*Simple Network Management Protocol (SNMP)

*Open Secure Sockets Layer (SSL)

*Misconfiguration of Enterprise Services NIS/NFS

*Databases

*Kernel

What do you think? Email feedback@computing.co.uk

If you want to be first with the news, visit Computing every day.

See also:

Call for overhaul of network security

Summary  20 Oct 2004

Microsoft issues patches for 21 software flaws

'Critical' vulnerabilities could allow attackers to gain complete control  13 Oct 2004

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!