Is the SANS Top 20 still useful?

The SANS Institute's Top 20 vulnerabilities list always gets a lot of attention, and this year's installment is no exception. A day after its release, security experts took to the blogosphere to weigh in on specific findings, most notably the addition of the VoIP threat. Some also debated whether the list is as valuable as it once was.

Since attacks are no longer tied solely to a set of software flaws, SANS renamed the annual list the "Top 20 Attack Targets." Product vulnerabilities continued to top the Bethesda, Md.-based institute's list of threats, but human error also made the list, given users' susceptibility to phishing scams. Among this year's top 20 are six major attack trends:

• A surge in zero-day attacks that go beyond Internet Explorer to target other Microsoft software.
• A rapid growth in attacks exploiting vulnerabilities in ubiquitous Microsoft Office products such as PowerPoint and Excel.
• A continued growth in targeted attacks.
• Increased phishing attacks against military and government contractor sites.
• A surge in VOIP (Voice over Internet Protocol) attacks in which attackers can intercept and sell company meeting minutes, inject misleading messages or create massive outages in the old phone network.
• Ever-increasing attacks against Web application flaws.

A valuable list or just a bunch of opinions?
Some experts, including one who participated in the development of this year's list, wondered aloud if the list is as useful to IT professionals as it was in earlier years, when the focus was squarely on specific software security holes.

Richard Bejtlich, founder of the Washington, D.C.-based consultancy Tao Security, was among the experts who contributed to this year's list. In his blog, he offered a mixed assessment of the final product. On one hand, he said the list is a very informative document with plenty of references. On the other hand, he thinks SANS lists from years past were more useful because they listed specific vulnerabilities that needed to be "patched now."

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: Sailing a sea of spam Dissecting Firefox 2.0 The never-ending PatchGuard debate

"There is no analysis of past vulnerability trends or conclusions based on real data," he said. "If you think a bunch of people's opinions is worthwhile, then you may find the Top 20 useful. I think the majority of the Top 20's utility, such as it is, derives from name recognition. If that can help influence your organization's management, then I guess it is helpful."

While it may be more about opinion than deep analysis, others remain convinced that the list serves a valuable purpose.

In the IT Business Edge blog, IT expert Ken Hardin wrote that if nothing else, the Top 20 is a good checklist IT managers can use to make sure they're on top of all the major threats.

"For technical types, the annual SANS paper is a touchstone for a very high-level, real-world alignment check for your security efforts," he said. "Although it includes a fairly exhaustive laundry list of threats and patches, it's also accessible enough to be a useful pass-around to business types who demand to know why they can't download confidential docs to their iPods."

VoIP fans not discouraged
One might expect those pushing the deployment of VOIP to be discouraged by the technology's inclusion on the list. But that doesn't seem to be the case.

Dan York, a director of IP technology with Herndon, Va.-based Mitel Networks Corp., shares responsibility for the security of the company's VoIP products. He said in his blog that SANS was right to put VoIP threats on the list.

"Several people have asked me if I honestly think this is good for VoIP and yes, I do," he said. "First off, it's a sign of the success and importance of VoIP that it is worth attacking and therefore also defending [and] protecting."

And while there are a lot of issues around VoIP security, he said there are also a lot of solutions. A spotlight like the SANS Top 20 will draw attention to those solutions. Finally, he said, the attention "may certainly motivate some of the companies out there that haven't been paying attention to security to get off their tails and do something about it."

Ken Camp, an IT consultant whose expertise includes security practices and the design and deployment of integrated voice and data systems, agreed with York in his blog. He noted that VoIP has achieved critical mass in the marketplace and the security challenges should come as no surprise.

"VoIP has quietly become an industry standard, sustaining technology that is widely used and adopted," he said. "As such, given that it's truly dependent on the IP infrastructure over which it operates, how could any reasonable person not expect that the security problems we see talked about in such frightening terms become a reality? We could have predicted this years ago, and many of us did."

As a sustaining technology that's being widely adopted, he said VoIP should give IT professionals good reason to revisit their networking security status and find ways to do better.

"It motivates us to rethink our security posture across all enterprise services," he said. "It's not a cause for paranoia. It's cause for sound critical thinking and planning."

Meanwhile, security vendors are using the Top 20 to drum up some interest in their services.

The Vanish.org blog noted that Redwood Shores, Calif.-based security firm Qualys is offering a free SANS Top 20 scan customers can use to see if their networks are plagued by any of the threats on the list.

Qualys helps SANS track the vulnerability landscape and has offered this service in the past.