Information Security News mailing list archives
ISS Lists Security Risks
From: InfoSec News <isn () c4i org>
Date: Tue, 8 Jul 2003 02:28:48 -0500 (CDT)
http://security.ziffdavis.com/article2/0,3973,1185262,00.asp By Dennis Fisher eWEEK July 7, 2003 Internet Security Systems Inc. last week unveiled its first Catastrophic Risk Index, a compilation of the 31 most serious current vulnerabilities and attacks. The index is designed to give administrators a constantly updated quick-reference list of the issues that should be their top priorities in protecting networks. Not surprisingly, all but two of the vulnerabilities on the list are some form of buffer overflow. Buffer overflows are far and away the most common security vulnerabilities plaguing commercial and open-source software. They come in many shapes and sizes and can be found in almost any kind of application, but the result is almost always the same: an attacker gets access to a critical application or server. To qualify for inclusion on the CRI, a vulnerability must meet several criteria: be pervasive enough to affect almost all organizations across all industries; be a serious threat to the confidentiality, integrity and availability of critical data; be a potential cause of catastrophic business-system failure; and be highly susceptible to virus and worm creation. About one-third of the vulnerabilities on the list are found in open-source software packages, including OpenSSL, Sendmail and Snort. The remainder are problems in commercial applications, with Microsoft Corp. having the most entries on the CRI. Of the 31 issues listed, 12 were found in Microsoft products. The other commercial vendors with more than one flaw on the list are Sun Microsystems Inc. and PeopleSoft Inc., which have two each. The CRI was developed by X-Force, the research team at ISS, which is based in Atlanta. The team plans to update the list on a regular basis so that it continues to reflect the current set of the most dangerous known vulnerabilities. ISS officials said the company developed the CRI as a way to take some of the pressure off customers, which are inundated with information about new vulnerabilities and attacks every day. "Our security team identifies and tracks 200 to 300 new vulnerabilities and threats each month, which is an enormous load for companies to keep up with while also focusing on their core business," said Chris Rouland, vice president of X-Force. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- ISS Lists Security Risks InfoSec News (Jul 08)