Although he wouldn't name specific companies, Paller said five security firms will participate by building new features into their systems to scan corporate networks for vulnerabilities on the Top 20 list. News.com has learned that Internet Security Systems, Foundstone, Qualys, and TippingPoint are four of the five. Gerhard Eschelbeck, vice president of engineering for security service provider Qualys, said the company would offer a free scan for the SANS-FBI Top 20 vulnerabilities to any network owner. While he didn't comment on whether Qualys would support the expanded list of flaws the organizations plan to release later, Eschelbeck did stress that it wouldn't be hard to do so. "The beauty of the service-based model that we have is that we can distribute signatures with a click of a mouse," Eschelbeck said. Network-protection company Internet Security Systems, which has built scanning support for the vulnerabilities included in the previous lists released by SANS will do so again, said Dan Ingevaldson, leader of ISS's research and development team. "There are a lot more vendors involved this year," Ingevaldson said. "A whole bunch got together and made a choice over what should be included in the list." This will be the third year that the SANS Institute has released a list of top flaws. In June 2000, the organization listed its Top 10. It updated that to a Top 20 in October 2001. Companies that eliminate the vulnerabilities on the Top 20 list from their networks will have made themselves immune to approximately 80 percent of all attacks on the Internet, Paller said. To show how effective such tools can be, the SANS Institute and the FBI will point to system administrators at NASA, who used a vulnerability-focused approach to eliminate security problems with their network. Details from that study haven't yet been released. "NASA is the poster child for this," said Paller. In addition, the Federal Computer Incident Response Center (FedCIRC) will take part in the announcement. Lists of confusion Not everyone is enamored of the new initiatives, however. At least one security consultant familiar with the announcement worried that the planned expansion of the list from 20 to perhaps as many as 100 vulnerabilities could just cause more confusion. "We just have too many databases already," he said, asking not to be named. Purdue University maintains the Common Vulnerability Database, and most security companies have their own databases as well. In addition, the Common Vulnerability Encyclopedia, run by the Mitre Group, is a central repository and Rosetta stone that links together the various definitions companies create for the same vulnerabilities. But Paller said that's exactly why such lists are needed. He stressed that the new list would direct companies to the most-serious of the three dozen or so vulnerabilities that appear each week and add depth to the other databases. The databases "all look at this elephant from a slightly different perspective," Paller said.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
