SANS list of top vulnerabilities includes Outlook, P-to-P

Among the vulnerabilities systems administrators should worry about with P-to-P software are the legal concerns if a company's computers are used to trade copyrighted files, technical concerns from remotely exploitable misconfigurations possible in P-to-P software, and the ease of distribution of malicious code masquerading as legitimate materials traded through P-to-P software, Kamerling said.

A P-to-P user at one federal agency recently opened his hard drive to other users trading pornography, Paller added, making the agency part of a "porn-sharing operation."

But Rosso said such exposures and reports of P-to-P users sharing the entire contents of their hard drives with others happen when P-to-P software is misconfigured or misused. "The potential for people's hard drives to be exposed only exists if they don't pay attention," he said.

Windows Internet Information Server, Microsoft SQL Server and Internet Explorer remain on the list from 2002. The five Windows vulnerabilities that were bumped from the 2002 list were combined into two new items: Windows remote access and Windows authentication.

Three new Unix/Linux vulnerabilities were included on the list this year: clear text services, misconfiguration of enterprise services and Open Secure Sockets Layer. Remaining on the Linux/Unix list were Apache Web server, BIND (Berkeley Internet Name Domain) and Sendmail, among others.

Paller urged company and agency leaders to start with a small list of the most dangerous vulnerabilities their systems administrators could attack and allow the security team at least 90 days to make progress before requiring them to report results. Asking systems administrators to test for thousands of vulnerabilities at one time is a recipe for failure, he added.

"That is a dangerous thing to do to a systems administrator," Paller said of requiring thousands of checks at once. That way, executives could set up systems administrators for failure. "You're creating (a situation of saying), 'I can demonstrate you're incompetent, and you can never demonstrate I'm wrong.' If that's your goal, it's fine, it just doesn't improve security. What you want is an environment where you say, 'I can demonstrate we've got things to fix, and you can demonstrate we can fix them, and then we'll work together.'"