SANS Lists Top 20 Critical Vulnerabilities

Critical software vulnerabilities are increasing being found — not in

the operating system — but in applications and major databases.

The information comes out of a new quarterly report, the Top 20 Internet Security

Vulnerabilities from the SANS Institute, a major source of security

training and certification based in Bethesda, Md. Analysts from SANS had

been releasing the report annually. This is the first of what will become

quarterly releases, according to Alan Paller, director of research at the

SANS Institute.

”Along with help from the FBI, the White House and the British

government, we had done the Top 20 list annually since 2000,” says

Paller. ”We do it to give people a targeted list of vulnerabilities that

really need to be corrected. Recently, we’ve been getting a lot of

reports that people and their auditors have been using the Top 20 as a

bench mark to make sure they’re closing the right vulnerabilities, and we

decided that annually wasn’t frequent enough.”

And Paller says what he found most interesting about this first quarterly

report is the number of bugs being found in applications.

”The most interesting thing about the list is the number of bugs that

are not in operating systems, but are in databases, security products and

storage products. That’s a major trend that started 18 months ago and it

has accelerated. Virus writers used to attack just the operating system

and now they’re attacking higher up.”

Products from Microsoft, Symantec, Computer Associates and ITunes all

have made the SANS list. A SANS spokesperson notes that if the listed

vulnerabilities go unpatched, companies face a ‘heightened threat that

remote, unauthorized hackers will take control of their computers and use

them for identity theft, industrial espionage or for distributing spam or

pornography’.

”These critical vulnerabilities are widespread and many of them are

being exploited, right now, in our homes and in our offices,” says

Paller. ”We’re publishing this list as a red flag for individuals, as

well as IT departments. Too many people are unaware of these

vulnerabilities, or mistakenly believe their computers are protected.”

Paller says he is disturbed by the number of vulnerabilities being found

in security products.

”They need to do better,” he adds. ”The problem with the risk in the

security applications is that when an attack takes over a computer using

an application, it gets the rights that the security application has, and

security applications have very high rights. If you use a virus checker

to take over the computer, you have more power than if you use a word

processor.”

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020