Security UPDATE--SANS Updates Its Annual Top 20 List--November 22, 2006


Privacy. Compliance. International Data. Free WP

Reducing the Cost of IT Compliance: Streamlining the IT Compliance Life Cycle

Liquid Machines and Windows RMS: Rights Management for the Enterprise



IN FOCUS: SANS Updates Its Annual Top 20 List


- Microsoft Licenses Group Policy Conversion Tool to Ease Vista Migration

- Forefront Client Beta Available; New Forefront Server Products Coming Soon

- Web Application Security Report to Debut in January

- Recent Security Vulnerabilities


- Security Matters Blog: Windows Vista Security Guide Available

- FAQ: Using FrontPage to Backup or Restore a SharePoint Site

- From the Forum: Setting Up Security Groups

- Know Your IT Security Contest

- SharePoint Pro Online--LIVE! Event


- Manage USB Drives for Access and Storage

- Wanted: Your Reviews of Products






Privacy. Compliance. International Data. Free WP

Is your multinational company feeling mounting pressure trying to meet worldwide compliance regulations that protect personally identifiable information or PII? The timely Free White Paper: Privacy, Compliance and International Data Flows presents action steps needed to avoid legal problems today.

=== IN FOCUS: SANS Updates Its Annual Top 20 List


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

In the past, the SANS Institute published an annual list, Top 10 Vulnerabilities, that outlined the most serious vulnerabilities facing system administrators on a variety of platforms. The list was later expanded to the top 20 vulnerabilities. This year, SANS has changed the name of its list to the SANS Top-20 Internet Security Attack Targets.

The list is divided into four categories--OSs, cross-platform applications, network devices, and security policy and personnel--along with a special section that discusses zero-day attacks. The OS category is almost entirely devoted to Windows. Areas that need special attention on Windows platforms include Internet Explorer (IE), Windows libraries (DLLs), services, overall system configuration, and Office.

The cross-platform applications category is broad and includes common targets of attack such as Web applications, database software, P2P and IM applications, media players, DNS servers, backup software, and various types of management servers.

As history shows, new targets of attack typically include emerging technologies, which are usually less mature and thus prone to include exploitable bugs. VoIP technology is a case in point. SANS points out that both VoIP servers and phones have become major targets, with no fewer than four vulnerabilities reported in the hugely popular Asterisk VoIP server platform, two vulnerabilities in Cisco Call Manager, and at least seven vulnerabilities in VoIP phones.

Two long-standing information security problems have been the existence of excessive user rights and the use of unauthorized devices. Both these problems could be related to insufficient or nonexistent security policies. Such problems could give rise to situations in which users inadvertently open security holes into a network or introduce malware. The problem could also lead to the exposure or theft of sensitive company information.

Phishing is of course a major problem and makes end users a major point of attack. Phishing attacks, like other forms of social engineering, are designed to glean sensitive information from unsuspecting users. Attacks can be very sophisticated and highly tailored and targeted.

Last, but certainly not least, are the ever-present zero-day exploits that have plagued security administrators since computers came into mainstream use. Although historically, most zero-day attacks have targeted Windows platforms, other OSs aren't immune. The SANS list points to Windows and Apple OS X as the current major points of attack. However, zero-day exploits have also turned into attacks against various Linux platforms, Wi-Fi devices and their drivers, and other commonly used technologies. In fact, the Kernel Fun blog is currently hosting a "month of kernel bugs" that affect various platforms, including BSD and Linux. In some cases, no patch is available for the bugs posted, which of course puts millions of users and many businesses at serious risk. How fun is that?

The SANS Top-20 Internet Security Attack Targets report is a good resource for security administrators to use as a means to gain insight into what others see as the most serious attack vectors. The report is free at the SANS Web site in HTML or PDF format, and administrators would do well to carefully review the report to make sure that they've got all their bases covered.

=== SPONSOR: Scalable Software


Reducing the Cost of IT Compliance: Streamlining the IT Compliance Life Cycle

The average enterprise spends nearly $10 million annually on IT compliance. Download this free whitepaper today to streamline the compliance lifecycle, and dramatically reduce your company's costs!



Microsoft Licenses Group Policy Conversion Tool to Ease Vista Migration

The ADMX Migrator tool, developed by FullArmor, will be available for free to convert ADM templates to ADMX.

Forefront Client Beta Available; New Forefront Server Products Coming Soon

Microsoft released the Forefront Client Security public beta and announced that Forefront Security for Exchange Server and Forefront Security for SharePoint will be available in December.

Web Application Security Report to Debut in January

WhiteHat Security will soon begin offering a quarterly report on the vulnerabilities affecting enterprise Web sites.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Liquid Machines


Liquid Machines and Windows RMS: Rights Management for the Enterprise

Extend Microsoft Windows Rights Management Services (RMS) to support enterprise requirements for information protection, including proprietary business data.



SECURITY MATTERS BLOG: Windows Vista Security Guide Available

by Mark Joseph Edwards,

Microsoft published its official Windows Vista Security Guide. It's available at the TechNet Web site now.

FAQ: Using FrontPage to Backup or Restore a SharePoint Site

Q: How can I use Microsoft FrontPage to back up or restore a Microsoft SharePoint site?

Find the answer at

FROM THE FORUM: Setting Up Security Groups

A reader has set up two security groups on a shared folder; one allows special modify access and the other allows modify access. With the security setting applied, users can create subfolders but can't rename files. Is there a solution for this? Join the discussion at


Share your security-related tips, comments, or solutions in 1000 words or less, and you could be one of 13 lucky winners of a Zune media player. Tell us how you do patch management, share a security script, or write about a security article you've read or a Webcast you've viewed. Submit your entry between now and December 13. We'll select the 13 best entries, and the winners will receive a Zune media player--plus, we'll publish the winning entries in the Windows IT Security newsletter. Email your contributions to [email protected]

Prizes are courtesy of Microsoft Learning Paths for Security:

SharePoint Pro Online--LIVE! will be a premier virtual event for developers and administrators of SharePoint products and technologies. Brought to you by MSD2D and the Windows IT Media Community, this event will demonstrate, showcase, and exhibit the premier companies in the SharePoint market. The conference will bring industry experts to the desktops of attendees, educating them on various SharePoint topics. TO REGISTER:



by Renee Munshi, [email protected]

Manage USB Drives for Access and Storage

RedCannon Security offers KeyPoint Alchemy, which turns USB flash drives from a variety of manufacturers into corporate storage and access devices. KeyPoint Alchemy, an appliance-based system with a Web-based management interface, automatically updates applications, content, authentication tokens, and security policies on USB drives. It offers complete USB device lifecycle management, including provisioning, password reset, and remote destruction. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

Can you set up a single sign-on environment for Linux and Windows? After attending this free seminar from TechX World on December 14, you'll be able to! We'll discuss the different authentication mechanisms used by Windows and Linux and show how you can configure networked Linux systems to accept logons in a secure manner using Windows AD accounts. Register today!

Do you have visibility of and control over your software licenses? Most organizations face serious challenges, such as understanding vendor licensing models, cost overruns, missed deadlines and business opportunities, and lost user productivity. Learn to address these challenges and prepare for audits. Register for the free Web seminar, available now!

BONUS: Register for any Web seminar--live or on-demand--during the month of November, and you could win a PS3! View a full list of eligible seminars at

Are you an Oracle professional who has cross-platform responsibilities, or do you need to transfer your skill set to SQL Server? If so, register for free to attend the Cross Platform Data online event January 30 and 31 and February 1, 2007. In a seminar featuring SQL Server/Oracle experts Andrew Sisson from Scalability Experts and Douglas McDowell from Solid Quality Learning, you'll learn key concepts about SQL Server 2005, including how to deploy SQL Server's BI capabilities on Oracle, proof points demonstrating that SQL Server is enterprise-ready, and how to successfully deploy Oracle on the Windows platform.

After disaster strikes, does recovering your data feel like digging for buried treasure? Test your disaster recovery skills, and you could win! Each week we'll give away a USB flash drive to one lucky treasure hunter. You'll also be entered to win the full treasure chest, including Bose headphones! Test your skills now!

In this free podcast, Randy Franklin Smith outlines five evaluation points to consider when choosing your antispyware solution. Download it today!



When your email systems go down, do your employees stop communicating? Of course not--they find alternative methods, which might not be compliant with your messaging regulations. Download this free Executive Guide to discover the impact of email outages on compliance and learn methods for establishing continuity in your corporate messaging environment.



Special Invitation for VIP Access

Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters. Subscribe now and SAVE $100:

Save $40 off SQL Server Magazine

Subscribe to SQL Server Magazine today and SAVE $40! Along with your 12 issues, you'll get FREE access to the entire SQL Server Magazine online article archive, which houses more than 2,500 helpful SQL Server articles. This offer expires on November 30, 2006, so order now:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.