Yes, SANS has released their latest top 20 Internet Security Risks report. And Dark Reading points to it.
Tim Wilson at Dark Reading opens up: “There are two major problems with the security of computers: the people who use them and the people who write software for them.”. You don’t say?!? I think that covers everyone except my grandmother…
Ok, so Tim’s article gets better and I like his pointing out that home-grown apps are big threats, which will make people think a bit more about open source and other, well, home-grown apps. Paying for software every cycle sucks, but is the cost of the software worth the possibly improved security and support? Good question.
My biggest complaint about the SANS Top 20 list these days? It’s too nebulous. Let’s see…web browser, email clients, media players, and office software. Did they leave anything out?!?! Yes, IM services…oh wait, they got that too.
Windows, *nix, and Mac. Uhh..again, did they leave anything out? Well, yes, they may have missed something, but the catch-all Zero-Days kinda covers the ass end of the list.
Yeah, thanks for this wonderfully nebulous list that really is far less actionable than it used to be. Sure, it illustrates our security risk landscape fairly well, but it is definitely targeting managers and less involved/informed people these days.Rather than being the top 20 risks, it is basically an all-encompassing “here’s all the risks you need to worry about,” list for CSOs and journalists to care about.
Fine, there is at least one thing missing. Wireless issues, both with regards to 802.11 devices and Bluetooth. Sure, they mention it twice, once in Unauthorized Devices and again in Instant Messaging, but that’s just lame and really does downplay the issues. Sure, you can’t have someone in Russia sit down and pwn every Starbucks wireless user in 60 seconds, but the problem still exists on a microscopic level. Want to fly under the radar or target an exec because you’re being paid by competition to do so… Hell, it would have been trendy to include this with the simple mention of the alleged intrusion vector for the TJX breach.
Alas, I still like the list because it gives us something to point to when management thinks the world is peachy-keen and full of rainbows in our office. Still, I’d rather this list were still interesting and relevent to me, rather than trying to be a “list” that tries to capture everything. Maybe it’s just a sign of a maturing industry and a much wider interested audience that needs to be included…