SANS Top 20 List overlooks the people, legal and insurance issues

news alert

London, UK - 22 November 2005, 17:00 GMT - The SANS Top 20 technical list announced in London today addressed vulnerabilities across all layers in the computing environment as the primary source of digital risk whilst making no significant mention of the other strategic digital risk areas including people, legal and insurance issues. The technology, people, legal and insurance domains together define the full realm of digital risk according to the holistic security methodology of the mi2g Intelligence Unit. For example, it is the lax approach of the community of end-users and administrators - within and outside organisations - who knowingly or unknowingly offer inroads to global organised crime and extremism. Such overt or stealth illicit operations may benefit from software vulnerabilities, amongst other technical exploits, only if the human touch points remain incapable, unaware or compromised. Strategically, digital risk can be mitigated significantly through legal contracts, which tie the suppliers down to specific Service Level Agreements (SLAs), and through the initiation of appropriate business interruption insurance cover which puts mandatory audits in place.

Many speakers at the SANS Top 20 conference held this morning at the Department of Trade and Industry (DTI) talked about the complex array of computer software vulnerabilities and software patch regimes without fully identifying the complex interdependence of weak links in the human chain, legal contracts and insurance or risk mitigation policies within corporations, government agencies and NGOs. Those weak links can compound the software vulnerabilities manifold and to the detriment of the affected organisation and its interlocutors. Given the complexity of the patch regimes now needed, many small to medium size enterprises are ill equipped to handle the complex tasks to hand, without specialist help or proprietary tools. Such tools may not be easy to use or deploy across a diverse computing environment.

"Lessons gleaned from the latest SANS-20 list, suggest that the cat and mouse game cannot go on because the lay user and small to medium size enterprises possess limited resources. When dealing with the plethora of software vulnerabilities at every level, it is quite obvious that the problem is getting worse, not better. As the vulnerabilities move up the food chain into applications, which do not have well defined patch regimes or auto-update tools, the security risk gets amplified with multiple touch points," said DK Matai, Executive Chairman, mi2g. "The human vulnerability side is a bigger issue than software vulnerability. We must recognise the need for a paradigm shift in which the vendors have to think about offering software as a constantly up-dated quality solution in which the product is a first class trustworthy service and all the complexity of applying patches is taken away from the average user. The lay person is beyond solving this hierarchical dilemma. At the same time, the enterprise has to look at digital risk holistically from a technical, people, legal and insurance perspective."

Over the past year, attackers have been switching their focus to software applications, according to the latest SANS-20 list of the most critical Internet security vulnerabilities. Automated patching started making it harder to find new vulnerable systems, so they went after applications that users are just not patching. This correlates with mi2g Intelligence Unit research, however, where very large scale attacks have taken place, with substantial illicit financial movements or colossal economic damage, lack of human training or awareness has played a significant part alongside software vulnerability or system weakness to magnify the impact.

The SANS Top 20 list has been published annually since 2000. It is compiled by representatives from a variety of computer security organisations including the US Computer Emergency Response Team (US-CERT), the British Government's National Infrastructure Security Co-Ordination Centre (NISCC) and the SANS Internet Storm Center.


mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of its technology are: 1. D2-Banking; 2. Digital Risk Management; and 3. Bespoke Security Architecture. For more information about mi2g, please visit: www.mi2g.net

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy