AOH :: ISN-3314.HTM

SANS Updates Its Annual Top 20 List

SANS Updates Its Annual Top 20 List
SANS Updates Its Annual Top 20 List

Forwarded from: Security UPDATE 


Privacy. Compliance. International Data. Free WP 

Reducing the Cost of IT Compliance: Streamlining the IT Compliance Life 

Liquid Machines and Windows RMS: Rights Management for the Enterprise 

=== CONTENTS ==================================================
IN FOCUS: SANS Updates Its Annual Top 20 List

   - Microsoft Licenses Group Policy Conversion Tool to Ease Vista 
   - Forefront Client Beta Available; New Forefront Server Products 
Coming Soon
   - Web Application Security Report to Debut in January
   - Recent Security Vulnerabilities

   - Security Matters Blog: Windows Vista Security Guide Available
   - FAQ: Using FrontPage to Backup or Restore a SharePoint Site 
   - From the Forum: Setting Up Security Groups
   - Know Your IT Security Contest
   - SharePoint Pro Online--LIVE! Event

   - Manage USB Drives for Access and Storage
   - Wanted: Your Reviews of Products 




=== SPONSOR: NetIQ ============================================
Privacy. Compliance. International Data. Free WP
   Is your multinational company feeling mounting pressure trying to 
meet worldwide compliance regulations that protect personally 
identifiable information or PII? The timely Free White Paper: Privacy, 
Compliance and International Data Flows presents action steps needed to 
avoid legal problems today. 

=== IN FOCUS: SANS Updates Its Annual Top 20 List =============   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

In the past, the SANS Institute published an annual list, Top 10 
Vulnerabilities, that outlined the most serious vulnerabilities facing 
system administrators on a variety of platforms. The list was later 
expanded to the top 20 vulnerabilities. This year, SANS has changed the 
name of its list to the SANS Top-20 Internet Security Attack Targets.

The list is divided into four categories--OSs, cross-platform 
applications, network devices, and security policy and personnel--along 
with a special section that discusses zero-day attacks. The OS category 
is almost entirely devoted to Windows. Areas that need special 
attention on Windows platforms include Internet Explorer (IE), Windows 
libraries (DLLs), services, overall system configuration, and Office. 

The cross-platform applications category is broad and includes common 
targets of attack such as Web applications, database software, P2P and 
IM applications, media players, DNS servers, backup software, and 
various types of management servers. 

As history shows, new targets of attack typically include emerging 
technologies, which are usually less mature and thus prone to include 
exploitable bugs. VoIP technology is a case in point. SANS points out 
that both VoIP servers and phones have become major targets, with no 
fewer than four vulnerabilities reported in the hugely popular Asterisk 
VoIP server platform, two vulnerabilities in Cisco Call Manager, and at 
least seven vulnerabilities in VoIP phones. 

Two long-standing information security problems have been the existence 
of excessive user rights and the use of unauthorized devices. Both 
these problems could be related to insufficient or nonexistent security 
policies. Such problems could give rise to situations in which users 
inadvertently open security holes into a network or introduce malware. 
The problem could also lead to the exposure or theft of sensitive 
company information. 

Phishing is of course a major problem and makes end users a major point 
of attack. Phishing attacks, like other forms of social engineering, 
are designed to glean sensitive information from unsuspecting users. 
Attacks can be very sophisticated and highly tailored and targeted. 

Last, but certainly not least, are the ever-present zero-day exploits 
that have plagued security administrators since computers came into 
mainstream use. Although historically, most zero-day attacks have 
targeted Windows platforms, other OSs aren't immune. The SANS list 
points to Windows and Apple OS X as the current major points of attack. 
However, zero-day exploits have also turned into attacks against 
various Linux platforms, Wi-Fi devices and their drivers, and other 
commonly used technologies. In fact, the Kernel Fun blog is currently 
hosting a "month of kernel bugs" that affect various platforms, 
including BSD and Linux. In some cases, no patch is available for the 
bugs posted, which of course puts millions of users and many businesses 
at serious risk. How fun is that? 

The SANS Top-20 Internet Security Attack Targets report is a good 
resource for security administrators to use as a means to gain insight 
into what others see as the most serious attack vectors. The report is 
free at the SANS Web site in HTML or PDF format, and administrators 
would do well to carefully review the report to make sure that they've 
got all their bases covered. 

=== SPONSOR: Scalable Software ================================
Reducing the Cost of IT Compliance: Streamlining the IT Compliance Life 
   The average enterprise spends nearly $10 million annually on IT 
compliance. Download this free whitepaper today to streamline the 
compliance lifecycle, and dramatically reduce your company's costs! 

=== SECURITY NEWS AND FEATURES ================================
Microsoft Licenses Group Policy Conversion Tool to Ease Vista Migration
   The ADMX Migrator tool, developed by FullArmor, will be available 
for free to convert ADM templates to ADMX. 

Forefront Client Beta Available; New Forefront Server Products Coming 
   Microsoft released the Forefront Client Security public beta and 
announced that Forefront Security for Exchange Server and Forefront 
Security for SharePoint will be available in December. 

Web Application Security Report to Debut in January
   WhiteHat Security will soon begin offering a quarterly report on the 
vulnerabilities affecting enterprise Web sites. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: Liquid Machines ==================================
Liquid Machines and Windows RMS: Rights Management for the Enterprise
   Extend Microsoft Windows Rights Management Services (RMS) to support 
enterprise requirements for information protection, including 
proprietary business data. 

=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: Windows Vista Security Guide Available 
by Mark Joseph Edwards, 

Microsoft published its official Windows Vista Security Guide. It's 
available at the TechNet Web site now. 

FAQ: Using FrontPage to Backup or Restore a SharePoint Site

Q: How can I use Microsoft FrontPage to back up or restore a Microsoft 
SharePoint site?

Find the answer at 

FROM THE FORUM: Setting Up Security Groups
   A reader has set up two security groups on a shared folder; one 
allows special modify access and the other allows modify access. With 
the security setting applied, users can create subfolders but can't 
rename files. Is there a solution for this? Join the discussion at 

   Share your security-related tips, comments, or solutions in 1000 
words or less, and you could be one of 13 lucky winners of a Zune media 
player. Tell us how you do patch management, share a security script, 
or write about a security article you've read or a Webcast you've 
viewed. Submit your entry between now and December 13. We'll select the 
13 best entries, and the winners will receive a Zune media player--
plus, we'll publish the winning entries in the Windows IT Security 
newsletter. Email your contributions to 
   Prizes are courtesy of Microsoft Learning Paths for Security: 

SharePoint Pro Online--LIVE! will be a premier virtual event for 
developers and administrators of SharePoint products and technologies. 
Brought to you by MSD2D and the Windows IT Media Community, this event 
will demonstrate, showcase, and exhibit the premier companies in the 
SharePoint market. The conference will bring industry experts to the 
desktops of attendees, educating them on various SharePoint topics.

=== PRODUCTS ================================================== by Renee Munshi, 

Manage USB Drives for Access and Storage
   RedCannon Security offers KeyPoint Alchemy, which turns USB flash 
drives from a variety of manufacturers into corporate storage and 
access devices. KeyPoint Alchemy, an appliance-based system with a Web-
based management interface, automatically updates applications, 
content, authentication tokens, and security policies on USB drives. It 
offers complete USB device lifecycle management, including 
provisioning, password reset, and remote destruction. For more 
information, go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to and get a Best Buy gift certificate. 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

Can you set up a single sign-on environment for Linux and Windows? 
After attending this free seminar from TechX World on December 14, 
you'll be able to! We'll discuss the different authentication 
mechanisms used by Windows and Linux and show how you can configure 
networked Linux systems to accept logons in a secure manner using 
Windows AD accounts. Register today! 

Do you have visibility of and control over your software licenses? Most 
organizations face serious challenges, such as understanding vendor 
licensing models, cost overruns, missed deadlines and business 
opportunities, and lost user productivity. Learn to address these 
challenges and prepare for audits. Register for the free Web seminar, 
available now! 

BONUS: Register for any Web seminar--live or on-demand--during the 
month of November, and you could win a PS3! View a full list of 
eligible seminars at 

Are you an Oracle professional who has cross-platform responsibilities, 
or do you need to transfer your skill set to SQL Server? If so, 
register for free to attend the Cross Platform Data online event 
January 30 and 31 and February 1, 2007. In a seminar featuring SQL 
Server/Oracle experts Andrew Sisson from Scalability Experts and 
Douglas McDowell from Solid Quality Learning, you'll learn key concepts 
about SQL Server 2005, including how to deploy SQL Server's BI 
capabilities on Oracle, proof points demonstrating that SQL Server is 
enterprise-ready, and how to successfully deploy Oracle on the Windows 

After disaster strikes, does recovering your data feel like digging for 
buried treasure? Test your disaster recovery skills, and you could win! 
Each week we'll give away a USB flash drive to one lucky treasure 
hunter. You'll also be entered to win the full treasure chest, 
including Bose headphones! Test your skills now! 

In this free podcast, Randy Franklin Smith outlines five evaluation 
points to consider when choosing your antispyware solution. Download it 

=== FEATURED WHITE PAPER ======================================
When your email systems go down, do your employees stop communicating? 
Of course not--they find alternative methods, which might not be 
compliant with your messaging regulations. Download this free Executive 
Guide to discover the impact of email outages on compliance and learn 
methods for establishing continuity in your corporate messaging 

=== ANNOUNCEMENTS =============================================
Special Invitation for VIP Access 
   Become a VIP subscriber and get continuous, inside access to ALL the 
content published in Windows IT Pro, SQL Server Magazine, and the 
Exchange and Outlook Administrator, Windows Scripting Solutions, and 
Windows IT Security newsletters. Subscribe now and SAVE $100: 

Save $40 off SQL Server Magazine 
   Subscribe to SQL Server Magazine today and SAVE $40! Along with your 
12 issues, you'll get FREE access to the entire SQL Server Magazine 
online article archive, which houses more than 2,500 helpful SQL Server 
articles. This offer expires on November 30, 2006, so order now: 

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and the Windows IT Security newsletter 
(subscribe at the second URL below). 

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods