Comments on: SANS Top 20 released, but is it still useful?

By: Anonomous User

Anonomous User — Mon, 24 Dec 2007 20:21:51 +0000

This has nothing to do with helping the security industry. It is a way for SANS to make a whole lot of money off of Tippingpoint, and it is a way for Tippingpoint to get leads to sell product. Please note that SANS does very little in giving back free or useful information back to the community, and the prices for their classes are outrageously expensive to the profit of Paller, who owns this FOR PROFIT company. Do not let the .org fool you!

By: Stephen Northcutt

Stephen Northcutt — Mon, 03 Dec 2007 23:38:18 +0000

Keep in mind that the SANS Top 20 is supposed to be “20″ items that account for 80% of successful attacks; i.e. the low hanging fruit. The real benefit of the Top 20 is that most vulnerability scanners as well as a number of SIEMs, and configuration management consoles support and test for the SANS Top 20 since it has been around for so long. With apologies to Richard Clarke, if you don’t fix the Top 20 vulnerabilities you will be hacked and what’s more, you deserve to be hacked.

By: Jim Williams

Jim Williams — Mon, 03 Dec 2007 22:57:23 +0000

The SANS list is a valuable tool for me. Even if it hasn’t changed much during the last few issues,the list reflects the current vulnerabilities.

I have used this list to empower my arguments with management for budget dollars in areas such as end-user awareness and security training. I have also used it to argue effectively for some needed policies changes.

By: Jeff Stebelton

Jeff Stebelton — Fri, 30 Nov 2007 19:50:43 +0000

If the threat landscape hasn’t changed significantly, they can only report on what are still the major vectors. That speaks as much to how little headway we are making in certain areas as anything else. The biggest issue I see is client side attacks are ramping up at an unbeleiveable rate, and user education and/or controls on the client side aren’t happening. A thirty minute class once a year isn’t going to change the mindset of the typical “that looks interesting I’ll click on it” corporate user.

By: A. Schmidt

A. Schmidt — Fri, 30 Nov 2007 18:24:13 +0000

The SANS Top Twenty is like any other security list that is being published today. The average CIO has become immune to the myriad of security threat listings. The only thing that seems to get the attention of CIO’s is when it a major incident is published.

By: Charley Roberts

Charley Roberts — Wed, 28 Nov 2007 16:50:15 +0000

Whether the count is 18 or some other number, SANS has earned and continues to enhance its reputation for contributions to information security. Thoughtful users, managers and owners are well advised to examine each item on the list, consider the extents to which they are exposed and resulting risk levels and undertake — or continue to pursue — appropriate action. If any enterprise determines it is adequately protected from the SANS Top 20 or has implemented cost-effective measures to compensate for expectable losses, congratulations…and best wishes in addressing its own prioritized threat list.

By: Raphael Leiteritz

Raphael Leiteritz — Wed, 28 Nov 2007 15:15:59 +0000

I think that it is beneficial to make note of top security threats such as Web vulnerabilities and unencrypted/lost laptops and removable devices. The problem is: This is not really new. The results from reports such as this annual one should be used to broaden the discussion and focus on newer, more proactive security practices that will combat these threats rather than just reporting on the threats themselves – we’re aware they exist, but more importantly, how can we stop them?