FBI unveils top 20 IT gaffes

The FBI has teamed up with virus specialists the Sans Institute to produce a list of the top 20 computer security threats facing companies today.

The list is a revision of a top ten list of threats produced by the same organisations last year.

The top 20 includes specific sections on general vulnerabilities, Windows vulnerabilities and Unix vulnerabilities.

Sans said the document had been produced because only a limited number of security holes were exploited by the bulk of virus attacks. Network administrators who complain they are too busy to apply all software patches can prioritise by applying the patches on the Sans website first.

A number of holes in Microsoft's IIS web-server software, which have been known about for some time allowed the rapid spread of the Code Red and Nimda worms.

If network administrators had applied Microsoft's patches for the vulnerability the worms would have been unable to spread.

John Gilligan, acting CIO of the US Air Force and co-chair of the Security Committee of the Federal CIO Council, welcomed the announcement on behalf of US government IT directors, and said there were still too many instances where government systems were vulnerable to attack.

He concluded the launch of the top twenty list by lambasting software writers.

He said: "It is clear that the quality of software design and testing in the past does not measure up to the needs of the present and the future. I challenge the leaders in the software industry, to work together to establish new standards of software quality."

Patches and a free anti-virus scanner for the top vulnerabilities can be found at the SaNS website http://www.sans.org/top20.htm.

The top 20 problems are:
1. Default installations of software
2. Poor password protection
3. Non-existent or Incomplete Backups
4. Large number of open ports
5. Not filtering packets for correct incoming and outgoing addresses
6. Non-existent or incomplete logging
7. Vulnerable CGI Programs
8. Unicode Vulnerability (Web Server Folder Traversal)
9. ISAPI Extension Buffer Overflows
10. IIS RDS exploit (Microsoft Remote Data Services)
11. NETBIOS - unprotected Windows networking shares
12. Information leakage via null session connections
13. Weak hashing in SAM (LM hash)
14. Buffer Overflows in RPC Services
15. Sendmail Vulnerabilities
16. Bind Weaknesses
17. R Commands
18. LPD (remote print protocol daemon)
19. sadmind and mountd
20. Default SNMP Strings