The Top 20 list published by the SANS Institute received a name change as its annual update of the top 20 Internet security attack targets hit the Web.

SANS made some design changes to their list, organizing the most frequently targeted technologies into categories and sub-categories. They discuss operating systems, cross-platform applications, network devices, security policy & personnel, and zero-day attacks and prevention in a special section.

The usual suspects fill in the operating system category, led by Internet Explorer. Vulnerabilities in ActiveX have figured prominently in several exploits. Those have created problems where remote code execution could be accomplished on a personal computer.

"In many cases, the vulnerabilities were zero-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed," SANS noted in their list. "The VML zero-day vulnerability fixed by Microsoft patch MS06-055 was widely exploited by malicious websites before the patch was available."


Windows libraries, Microsoft Office, and issues with Mac OS X and Linux/Unix systems also made the operating system list. For cross-platform applications, web applications topped the category. PHP remote file includes, SQL injection, and cross-site scripting were among the problems focused on by malicious parties.

The growing promotion and acceptance of VoIP solutions from companies like Cisco and Asterisk have led to their gaining unwanted attention. Some products in the VoIP space from those two companies and others "have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device."

We discussed policies and compliance with Jim Hurley, managing director of the IT Policy Compliance Group, recently. His group's observations on compliance issues found access control a major concern for businesses of all sizes.

In the SANS top 20 report, they recount the old Ronald Reagan adage of "trust but verify" when it comes to users and the level of access they are allowed to have. Under the security policies & personnel section, SANS encouraged administrators to identify policy violations so corrective action against the offending party can be taken.

With zero-day vulnerabilities increasing in appearance, SANS suggested several steps admins can take when news of one surfaces. Their lengthy list of steps include adopting a deny-all policy at the perimeter of the network, placing public-facing systems in a DMZ where they are separate from internal production systems, and either using in-house resources or an outsourced service that alerts people to a new zero-day exploit making the rounds.

About the Author: David Utter is a business and technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.