Top Critical Internet Security Threats

According to Elinor Abreu of The Industry Standard, the FBI, Department of Justice, and the SANS Institute are jointly releasing a list of the 10 most critical Internet Security Threats and how to eliminate them.

SANS is maintaining How To Eliminate The Ten Most Critical Internet Security Threats, The Experts’ Consensus as a "living document," i.e., it will be constantly updated as more current information becomes available.

The five worst security mistakes committed by average computer users:

1. Opening unsolicited e-mail attachments without verifying their source or checking their content.
2. Failure to install the latest security patches for programs like Microsoft Office, Internet Explorer, and Netscape.
3. Installing screen savers or games from unknown sources.
4. Not making and testing backups.
5. Using a modem while connected through a LAN.

SANS's list of Top Management Errors, (per computer security experts and managers at the SANS99 and Federal Computer Security Conferences, Baltimore May 7-14, 1999):

1. Assign untrained people to maintain security and provide neither the training
   nor the time to make it possible to do the job.
2. Failure to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security.
3. Failure to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed.
4. Relying primarily on a firewall for security.
5. Fail to realize how much money their information and organizational reputations are worth.
6. Authorize reactive, short-term fixes so problems re-emerge rapidly.
7. Pretend the problem will go away if they ignore it.

The list of security blunders common among IT workers, who bear the brunt of most of the problems that plague computer systems:

1. Connecting systems to the Internet before hardening them.
2. Connecting test systems to the Internet with default accounts or passwords.
3. Failing to update systems when security holes are found.
4. Using Telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKIs (public key infrastructures).
5. Giving out passwords to users over the phone or change passwords without verifying the legitimacy of the request.
6. Failing to maintain and test backups.
7. Implementing firewalls that do not stop malicious or dangerous traffic.
8. Failure to update virus detection software.
9. Failure to educate users about security problems.
10. Allowing untrained users to take responsibility for securing important systems.

"A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic taking the easiest and most convenient route," the report states. "They count on organizations not fixing the problems, and they often attack indiscriminately by scanning the Internet for vulnerable systems." Meanwhile, system administrators typically say they are too busy to correct the simple flaws and argue that they do not know which of more than 500 potential problems are the most dangerous and, hence, a top priority, according to the report.

The Unix and Linux platforms, which abound in universities and other large organizations, were found to be the most frequently affected by vulnerabilities. But several security holes were found to be indiscriminate of the various systems, network devices and Web servers in use.