Topic: How to Keep Focused on Real Security Problems (SANS Top 10 Vulnerabilities list)

[Samker]

Analysis: Creating a 'Top 10' list of security issues is great for addressing problems in a focused manner.

I've always been a fan of the SANS Institute's Top 10 Vulnerabilities list, even after it morphed into a Top 20 Vulnerabilities list: http://www.sans.org/info/27974
It's encouraged other useful lists as well, such as the Top 20 Programming Errors: http://www.sans.org/cag and Top 20 Most Critical Security Controls: http://www.sans.org/cag
The OWASP Top 10 Web Application Security Vulnerabilities is just as useful -- and the fact that most of the items on the list haven't changed over the past decade is very telling: http://www.owasp.org/index.php/Top_10_2007
These types of lists are great for corralling consensus about what the biggest problems are so that they can be addressed in a focused manner.

My question for you is, does your organization have a top 10 computer security problems list? If so, is the list well known by all members of IT management, computer security staff, programmers, and infrastructure support folks? If you don't have a list -- or if no one else knows about it -- how can you be sure that your IT department is focusing the right amount of resources on the right problems?

I constantly run across organizations that do not adequately address high-risk problems; rather, they get sidetracked into solving midtier problems that are easier to crack. For example, an organization's biggest problem might be that of end-users installing Trojan horse malware. Meanwhile, the company is pouring money and manpower into stopping remote buffer overflows or trying to achieve 100 percent patching compliance -- even though these solutions resolve but a small percentage of the organization's overall computer security issues.

Building a top 10 computer security list for your organization starts with identifying and ranking threats based on the best metrics you have. You should then get team and management approval for the items that make the final list. This forces everyone to affirm and focus on the biggest problems.

Once you've created your list, be sure to communicate it using the normal computer security education methods (such as e-mail, posters, newsletters, and so on) to ensure all the relevant teams are working to tackle your top security issue in their own special-interest way.

For instance, suppose JavaScript exploits are the biggest problem. The workstation configuration team can focus on locking down the browser(s) to prevent rogue JavaScript applets. The programming/development team can focus on preventing XSS (cross-site scripting) attacks in their own code. Groups purchasing new software can be on the lookout for applications that rely on JavaScript and communicate to the potential vendor about the concern of JavaScript exploits. If you don't focus people on the big problems, they might remain fixated on addressing issues within their individual spheres of influence. A top 10 list helps everyone see the health of the forest while working in the weeds.

Tracking progress is also critical to success. Someone should be responsible for measuring the metrics of each item on the list and delivering a progress report to the larger group each year. At that time, the group should review the list to determine if any problems can be removed and if any newly growing security issues should be added. If metrics grew worse for a particular item, the team will need to devise a new plan of attack, perhaps built around effective strategies used to combat problems that have been knocked off the list.

Once created, your top 10 computer security list will likely never go away; rather, items will move around or be replaced by other more pressing issues. However, this is an idea that gives the organization a means of focusing on the most important ways to reduce risk and to draw a virtual line in the sand to measure against each year.

(PCW)