SAN FRANCISCO (06/01/2000) - The U.S. Federal Bureau of Investigation (FBI), the U.S. Department of Justice and the System Administration, Networking and Security Institute (SANS) are jointly releasing a list detailing the 10 most critical Internet security threats and how to eliminate them.
While those threats are mostly of concern to network administrators, the SANS Institute also released a list of the five worst security mistakes committed by average computer users.
Not surprisingly, at the top of that list is opening unsolicited e-mail attachments without verifying their source or checking their content.
Apparently, people haven't yet learned the security lessons of the "ILoveYou" virus, as messages containing the virus are still being sent - nearly a month after it was unleashed - causing an estimated $6.7 billion worth in damage.
No. 2 on the list is failing to install security patches, especially for Microsoft Office, Microsoft Internet Explorer and Netscape browsers. Installing screen savers or games from unknown sources is next, followed by not making and testing backups, and then using a modem while connected through a local area network.
But average computer users aren't the only ones leaving themselves open to attack. The SANS Institute also points an accusatory finger at senior executives and information technology experts.
The Institute's research found that senior executives often are guilty of: assigning untrained people to maintain security, of failing to see the consequences of poor security, of failing to make fixes or follow up on them, of relying primarily on a firewall for security, of failing to realize how much money their "information and organizational reputations are worth," of authorizing short-term fixes and of pretending that problems will go away if they are ignored.
The list of security blunders common among IT workers, who bear the brunt of most of the problems that plague computer systems, surprisingly is even longer.
According to the SANS Institute, IT workers all too often connect systems to the Internet before hardening them; connect test systems to the Internet with default accounts or passwords; fail to update systems when security holes are found; use telnet and other unencrypted protocols for managing systems, routers, firewalls and public key infrastructures; give out passwords to users over the phone or change passwords without verifying the legitimacy of the request; fail to maintain and test backups; implement firewalls that don't stop malicious or dangerous traffic; fail to update virus detection software; fail to educate users about security problems; and allow untrained users to take responsibility for securing important systems.
The researchers found that most of the successful attacks on computer systems could be traced to one of a small number of security flaws.
"A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic - taking the easiest and most convenient route," the report states. "They count on organizations not fixing the problems, and they often attack indiscriminately by scanning the Internet for vulnerable systems."
Meanwhile, system administrators typically say they're too busy to correct the simple flaws and argue that they don't know which of more than 500 potential problems are the most dangerous and, hence, a top priority, according to the report.
There shouldn't be any excuse for such excuses now. The top 10 list of the most critical Internet security threats reads like a technical document, but gives easy-to-understand advice about fixing flaws.
The Unix and Linux platforms, which abound in universities and other large organizations, were found to be the most frequently affected by vulnerabilities. But several security holes were found to be indiscriminate of the various systems, network devices and Web servers in use.
The top ten list has been posted by SANS, at http://www.sans.org, along with guidance on how to fix the problems.