Internet Vulnerabilities to Cyberterrorism Exposed

The FBI and the System Administration, Networking, and Security Institute today released a list of the 20 top vulnerabilities of Internet-connected systems and urged companies to close dangerous holes while warning again of virulent cyberattacks to come.

"The Internet is simply not ready because of these vulnerabilities; we're not ready to withstand a major attack," said Alan Paller, the SANS Institute director, at a press briefing today. The research took on added importance in the wake of the September 11 terrorist attacks on the U.S.

The list of vulnerabilities, jointly prepared by Bethesda, Maryland-based SANS and the FBI's National Infrastructure Protection Center and a team of approximately 50 corporate and academic security experts, is more exhaustive than a similar list released last year that limited itself to the top 10 problems.

The NIPC, based at FBI headquarters, was formed in 1998 to handle threat assessment, investigations, and responses to any attacks on critical U.S. infrastructures.

Citing the recent Code Red and Nimda worms, Paller said, "What many people don't know is that a very small number of vulnerabilities are used over and over in these attacks."

The top 20 list details vulnerabilities that are specific to Windows and Unix-based systems, as well as problems that are common to any system, such as no passwords or weak passwords, large number of open ports, nonexistent or incomplete logging, vulnerable Common Gateway Interface programs, unprotected Windows networking shares, and information leakage via null session (also known as anonymous log-on) connections, as well as a number of other technical issues.

But fixing these holes won't be enough to improve security at Internet connected systems, John Gilligan, the deputy CIO of the U.S. Air Force and chairman of the Federal CIO Council's security committee, warned at today's briefing.

Software makers need "a new approach to the design and fielding of their products," said Gilligan, who added that "the find and fixed patch race is something that is really starting to drain our resources."

Gilligan said commercial software needs to meet higher security standards, reinforced by a "contractual or legal expectation."

"We realize that this will cost the industry additional expenses in the development and testing of software; we would gladly pay that cost upfront in the purchase price rather than incur the cost ... which is enormous," he said.

The NIPC, like many security experts, is predicting an increase in cyberattacks related to terrorist activities. Some experts have said they believe that such an increase is already under way.

Robert Gerber, chief of analysis and warning at the NIPC, said it was "remarkable" that the Nimda worm "showed up a week to the day to the hour after the events of September 11."

Gerber surmised that Nimda might have been created as someone's "perverse desire to commemorate" the September 11 tragedy. "But I won't know until the FBI apprehends the person that did it," he said.