The SANS Top-20 Internet Security Attack Targets has been released for 2006. I think this is an excellent example of providing practical useful information about IT security risks. They cover the questions that any administrator asks themself when a new vulnerability is released:
- What is this all about? Criticality ratings can be useful, but when triaging new patches plain language makes it easier to understand how it affects into your organization.
- What software is affected? Helps to nail down how extensive a problem this might be. Again, does this apply to me?
- Where can I get more information? CVE entries are linked, for more detail should you determine this is an issue worth examining more closely. References are also provided.
- How do I know if I am at risk? Practical advice on checking on how important this issue is to you.
- How can I protect myself? Great examples of going beyond the generic advice of ‘keep your systems patched’. Not every administrator can immediately keep up with patches, as they often have to be tested for interoperability. They give examples of processes, system settings, and user training for enhancing your security.
As for the items on the list, in many ways they mirror Forresters’ security coverage, although some areas are not yet issues for most enterprises, while other issues are fires they are fighting every day. For instance, the monthly patching from Microsoft for issues with IE, Libraries and Office are a daily reality accross almost all enterprises. Whereas VOIP servers and phones, and Instant Messaging vulnerabilities still have not yet hit the mainstream. Excessive user rights and unauthorized devices is a prime example of where most enterprises know the problem exists, but have few, if any, solutions to deal with it.