Linux/UNIX threats: SANS top 10
Published: 22 Nov 2004 13:10 GMT
For the past four years the SANS Institute has partnered with the FBI's National Infrastructure Protection Centre to compile and publish its list of the most commonly exploited IT security vulnerabilities for both Windows and UNIX systems. This list is regularly updated and revised.
It's important to recall that, unlike the ever-growing list of new exploits found in operating systems and applications, the SANS-FBI list prioritises them according to the actual number of attacks seen by the organisations surveyed.
1 - The top Linux/UNIX threat continues to be the Internet's most popular DNS server software, BIND (Berkeley Internet Name Domain). Buffer overruns and cache poisoning are common attack vectors, and the various exploits mainly succeed because administrators fail to upgrade BIND to more secure versions or are running the BIND daemon ("named") unnecessarily -- it should not be enabled except on specified DNS servers. The BIND team is quick to patch vulnerabilities so it's the responsibility of administrators to keep up with the patches if they choose to run BIND.
2 - Next on the list is the generic Linux/UNIX Web server, which includes Apache and other servers. Threat management mostly consists of updating to fix newly discovered vulnerabilities. SANS recommends the use of open-source vulnerability scanners such as Nessus or SARA to assist in security management. You can also harden a Web server by removing all unused features and software since this reduces the number of potential new vulnerabilities.
3 - The third-rated vulnerability is the password (and other authentication methods). Weak user passwords, especially weak administrator-level passwords, continue to plague the security of Linux/UNIX systems. Be especially careful to identify and remove any default user accounts and passwords.
4 - Fourth are version-control systems, specifically the most popular, Concurrent Versions System (CVS) and Subversion, which have known vulnerabilities and have anonymous access to online databases. The best defence is proper configuration and frequent patching/updates.
5 - Email services are the fifth most common attack vectors. Sendmail is still the most widely used mail transport agent (MTA) on Linux/UNIX, and it has a number of vulnerabilities. Qmail, Courier, Exim and Postfix are newer alternatives with their own vulnerabilities. Frequent patching and proper configuration are the best defence. One of the big problems is that Sendmail is very complex, so simpler MTAs were created, while add-ons were quickly developed and added to provide the functionality of Sendmail. Since these are third-party enhancements, it is very difficult to track new vulnerabilities in all of these add-ons.
6 - It should come as no surprise that a remote network management tool poses considerable risks to networks, and SNMP, which is usually enabled by default, comes in as the sixth most commonly exploited weakness. Disable SNMP if possible; otherwise run SNMPv3 and make certain you keep SNMP 1 and 2 patched if you are forced to use those.
7 - Multiple vulnerabilities in the OpenSSL encryption tool library makes this number seven on the list. The best defence is a properly configured firewall and a periodically patched version of SSL.
8 - Enterprise NIS and NSF Servers that haven't been configured properly are the next biggest threat. Patch, disable any unnecessary daemons, and beef up your firewall to protect against this, the number eight threat.
9 - Databases are designed to be accessed but vulnerabilities can sometimes let remote attackers exploit the open nature of these applications to piggy-back their way into a network. Patching and proper configuration are the best ways to combat this threat, which is rated number nine.
10 - Kernel vulnerabilities round out the list at the tenth position. Protection is a highly complex problem and specific to each vendor and version.
Although the two lists (Windows and Linux/UNIX) are each listed in order of decreasing threat levels, there is no correlation between the two lists; that is, there is no analysis provided as to which OS is more secure or whether a vulnerability being sixth on the Linux/UNIX list is responsible for as many successful attacks by percentage, as the number six threat on the Windows top 10 list.
This is not a tool for determining which OS to use; rather, it is a guide to know which threats deserve the most attention within each category, so don't read too much into the lists. If you use them the way they are intended, then they can be extremely helpful.
Did you find this article useful?
32 out of 69 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
