Has SANS Top 20 Lost All Meaning?
I'm not going to give an answer to that... but I want everyone to think about it. As most people have read by now, the SANS Top-20 2007 list has been published.
The list this year contains the following:
- C1. Web Browsers
- C2. Office Software
- C3. Email Clients
- C4. Media Players
- S1. Web Applications
- S2. Windows Services
- S3. UNIX and Mac OS Services
- S4. Backup Software
- S5. Anti-virus Software
- S6. Management Software
- S7. Database Software
- H1. Excessive User Rights and Unauthorized Devices
- H2. Phishing / Spear Phishing
- H3. Unencrypted Laptops and Removable Media
- A1. Instant Messaging
- A2. Peer-to-Peer Programs
- N1. VoIP Servers and Phones
- Z1. Zero Day Attacks
Now take a look at past year's lists [2000, 2001, 2002]. The lists were somewhat specific... they gave you specific pieces of software, or enterprise 'security issues' (failure to properly backup, failure to properly log) that were of a concern. This year, we're presented with 18 categories (that's right... the top 20 contains 18 categories) that are almost as generic as you can get. This years SANS Top-20 List contains 257 unique CVEs... and that doesn't include the fact that they have included configuration sections that don't include any CVEs. Someone made the comment that next year they will release the "SANS Number #1" and the single entry will be "Computer". They are starting to get pretty close. The fix will probably be "Unplug the computer".
So if you're in an enterprise... how can you find any meaning in the SANS Top 20... they've essentially told you that users are stupid and that every piece of software you have deployed is flawed. It seems to me that calc.exe is safe... and perhaps sol.exe but nearly *everything* else fits into one of those categories. There are actually some well respected individuals on the team that composed the SANS Top 20... people that I would not normally associate with this sort of drivel... but really that's what this has become... I almost want to call it a 'FUD Missile'. It's telling me that all backup software is vulnerable, all AV software is vulnerable... my web browser is vulnerable.. my IM and Media Players are vulnerable... Yet they somehow let network infrastructure off the list. DNS Rebinding has been fairly popular this year, yet DNS isn't listed... it's mentioned twice in the entire report... once under phishing / spear phishing... and once under 0-days for the Windows DNS 0-day. They don't even mention DNS Rebinding as an issue... the phishing section says, "While they leverage flaws in browsers, email systems, and DNS, they do so only to enhance the appearance of legitimacy"
So my question... Do people out there still find meaning in the SANS Top 20? Has it outlived it's usefulness?