Report details biggest threats to computer networks

Weak password protection and nonexistent or incomplete data backups are two of the biggest information security problems facing both government and private sector computer networks, according to a new report from the System Administration, Networking and Security Institute (SANS). The organization released its list of Top 20 information security threats on the Internet at a press conference Monday. The list is highly technical and gives agencies and companies the ability to check their workplaces for the biggest security gaps, said Alan Paller, director of research at the SANS Institute. The most frequent vulnerabilities are divided into two sets based on whether computers operate on Windows or Unix operating systems. The institute compiled the list after consulting with the nation's foremost security experts. At the press conference, representatives from government and industry stressed that recreational hackers are no longer the principal enemies of systems administrators. Bob Gerber, chief of analysis and warning at the FBI's National Infrastructure Protection Center (NIPC), outlined the immensity of the problem. More than 500 million Internet users in the world use thousands of different software programs, each with their own security gaps, he said. Hackers depend on government agencies, businesses and home users not to fix even well-known security problems. "A very small number of vulnerabilities are used over and over again in the vast majority of attacks," said Paller. Software companies frequently have free patches to remedy these security holes. For example, a patch was available in June for the security hole exploited by the Code Red worm in July and August. It takes only one unprotected computer in an organization of thousands to give hackers full access to entire networks. "A vulnerability in one system becomes a vulnerability for all," said John Gilligan, deputy chief information officer of the Air Force and co-chair of the federal CIO Council's subcommittee on security, privacy and critical infrastructure protection. "Attacks on the [nation's] IT infrastructure will be more frequent and more virulent," Gilligan said. Gilligan, Paller and Gerber agreed that the software industry shares a measure of responsibility for providing software with holes that can be exploited. "The quality of software design and testing does not meet the requirements of today and the future," Gilligan said. Gilligan called on software manufacturers to pay more attention to their products before they hit the shelves. Paller said the problem is exacerbated by software companies that make new copies of their products and deliver them with old security holes unpatched. Gilligan said he expected the new Office of Homeland Security to become interested in the issue. "The cost of the find, fix and patch race is really starting to drain our resources," Gilligan said. The Center for Internet Security offers a free software scanner that specifically analyzes systems for vulnerabilities on the Top 20 list.