Home > IT, Security > Has SANS Top 20 Lost All Meaning?

Has SANS Top 20 Lost All Meaning?

November 28th, 2007 Leave a comment Go to comments

I'm not going to give an answer to that... but I want everyone to think about it. As most people have read by now, the SANS Top-20 2007 list has been published.

The list this year contains the following:

  1. C1. Web Browsers
  2. C2. Office Software
  3. C3. Email Clients
  4. C4. Media Players
  5. S1. Web Applications
  6. S2. Windows Services
  7. S3. UNIX and Mac OS Services
  8. S4. Backup Software
  9. S5. Anti-virus Software
  10. S6. Management Software
  11. S7. Database Software
  12. H1. Excessive User Rights and Unauthorized Devices
  13. H2. Phishing / Spear Phishing
  14. H3. Unencrypted Laptops and Removable Media
  15. A1. Instant Messaging
  16. A2. Peer-to-Peer Programs
  17. N1. VoIP Servers and Phones
  18. Z1. Zero Day Attacks

Now take a look at past year's lists [2000, 2001, 2002]. The lists were somewhat specific... they gave you specific pieces of software, or enterprise 'security issues' (failure to properly backup, failure to properly log) that were of a concern. This year, we're presented with 18 categories (that's right... the top 20 contains 18 categories) that are almost as generic as you can get. This years SANS Top-20 List contains 257 unique CVEs... and that doesn't include the fact that they have included configuration sections that don't include any CVEs. Someone made the comment that next year they will release the "SANS Number #1" and the single entry will be "Computer". They are starting to get pretty close. The fix will probably be "Unplug the computer".

So if you're in an enterprise... how can you find any meaning in the SANS Top 20... they've essentially told you that users are stupid and that every piece of software you have deployed is flawed. It seems to me that calc.exe is safe... and perhaps sol.exe but nearly *everything* else fits into one of those categories. There are actually some well respected individuals on the team that composed the SANS Top 20... people that I would not normally associate with this sort of drivel... but really that's what this has become... I almost want to call it a 'FUD Missile'. It's telling me that all backup software is vulnerable, all AV software is vulnerable... my web browser is vulnerable.. my IM and Media Players are vulnerable... Yet they somehow let network infrastructure off the list. DNS Rebinding has been fairly popular this year, yet DNS isn't listed... it's mentioned twice in the entire report... once under phishing / spear phishing... and once under 0-days for the Windows DNS 0-day. They don't even mention DNS Rebinding as an issue... the phishing section says, "While they leverage flaws in browsers, email systems, and DNS, they do so only to enhance the appearance of legitimacy"

So my question... Do people out there still find meaning in the SANS Top 20? Has it outlived it's usefulness?

Categories: IT, Security Tags:
  1. November 29th, 2007 at 09:16 | #1

    It’s almost prophetic…everyone and everything is a risk. I’m sure non-sec people will see this as a step backwards and we’re not making any progress whatsoever. I think this is a step forwards in getting non-sec people who might be referencing this to realize we won’t ever “win” totally. As long as technology and software and people are innumerable, the issues are innumerable…

    But no, I don’t see as much meaning in the list this year. It’s a nice, fairly short means to sample our daily lives (detailing the top 20 would take several books otherwise!), but it otherwise gives me nothing new in either knowledge or actionable items.

  1. No trackbacks yet.