Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

ISS Lists Security Risks

From: InfoSec News <isn () c4i org>
Date: Tue, 8 Jul 2003 02:28:48 -0500 (CDT)
http://security.ziffdavis.com/article2/0,3973,1185262,00.asp

By Dennis Fisher
eWEEK 
July 7, 2003 

Internet Security Systems Inc. last week unveiled its first 
Catastrophic Risk Index, a compilation of the 31 most serious current 
vulnerabilities and attacks.

The index is designed to give administrators a constantly updated 
quick-reference list of the issues that should be their top priorities 
in protecting networks. Not surprisingly, all but two of the 
vulnerabilities on the list are some form of buffer overflow.

Buffer overflows are far and away the most common security 
vulnerabilities plaguing commercial and open-source software. They 
come in many shapes and sizes and can be found in almost any kind of 
application, but the result is almost always the same: an attacker 
gets access to a critical application or server.

To qualify for inclusion on the CRI, a vulnerability must meet several 
criteria: be pervasive enough to affect almost all organizations 
across all industries; be a serious threat to the confidentiality, 
integrity and availability of critical data; be a potential cause of 
catastrophic business-system failure; and be highly susceptible to 
virus and worm creation. About one-third of the vulnerabilities on the 
list are found in open-source software packages, including OpenSSL, 
Sendmail and Snort. The remainder are problems in commercial 
applications, with Microsoft Corp. having the most entries on the CRI. 
Of the 31 issues listed, 12 were found in Microsoft products. The 
other commercial vendors with more than one flaw on the list are Sun 
Microsystems Inc. and PeopleSoft Inc., which have two each.

The CRI was developed by X-Force, the research team at ISS, which is 
based in Atlanta. The team plans to update the list on a regular basis 
so that it continues to reflect the current set of the most dangerous 
known vulnerabilities.

ISS officials said the company developed the CRI as a way to take some 
of the pressure off customers, which are inundated with information 
about new vulnerabilities and attacks every day.

"Our security team identifies and tracks 200 to 300 new 
vulnerabilities and threats each month, which is an enormous load for 
companies to keep up with while also focusing on their core business," 
said Chris Rouland, vice president of X-Force.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: