Best Practices

“Eliminating the Top Twenty Internet Security Threats”

According to statistics on computer system break-ins, a few software vulnerabilities account for the majority of successful attacks.   Most system administrators don’t have the time to correct every flaw, and many don’t know which (of hundreds) are most dangerous to them.  In response, a group of over 40 leading computer security experts from industry, government, and academia got together under the direction of the System Administration, Networking, and Security (SANS) Institute, and by consensus came up with a list of the “top ten” most critical security problems that system administrators need to eliminate.

In July 2000, EDUCAUSE established a Task Force on System Security, whose purpose is to ensure that higher education takes an active role in recognizing this problem, finding the flaws, defining the solutions, and implementing them across all campuses.    “For immediate (high-priority) action, the Task Force is recommending that all campus network and technology leaders find and fix the ten most common security holes on their campuses by adopting the advice and methodology of the SANS Institute.”

Briefly, the most critical security threats can be grouped and summarized as follows: 

  1. Disable unneeded & unused services (utility programs) on computers.

  2. Keep software that is running on computers current.

  3. Adopt & adhere to a strong password policy.

  4. Restrict global file sharing to appropriate machines & users.

  5. Understand & control communications flowing on networks.

It is in the best interests of the University for all systems administrators to review the top ten (or twenty) most serious threats, and to make a serious effort to follow the advice of leading experts to correct these problems.  We can eliminate many of the security breaches experienced here if we take these precautions.

The SANS Institute web site includes a detailed description of the vulnerabilities as well as excellent resources and descriptions of how to fix them.  Please ensure that systems administrators in your department see the revised list at  http://www.sans.org/top20.htm and act upon the recommendations.  The “living” document has now been modified into a "Top 20" list from the original "top 10" list, and is kept updated on a regular basis, since first being published in June 2000.

Copyright © 2005 The University of Iowa. All rights reserved.