W1. Internet Explorer W2. Windows Libraries W3. Microsoft Office W4. Windows Services W5. Windows Configuration Weaknesses M1. Mac OS X U1. UNIX Configuration Weaknesses Cross-Platform Applications
N1. VoIP Servers and Phones N2. Network and Other Devices Common Configuration Weaknesses Security Policy and Personnel
H1. Excessive User Rights and Unauthorized Devices H2. Users (Phishing/Spear Phishing) Special Section
Z1. Zero Day Attacks and Prevention Strategies
C1 Web Applications C2. Database Software C3. P2P File Sharing Applications C4 Instant Messaging C5. Media Players C6. DNS Servers C7. Backup Software C8. Security, Enterprise, and Directory Management Servers
Six years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to worms like Blaster, Slammer, and Code Red have been on SANS Top20 lists. The SANS Top-20 2006 list is not "cumulative." We have listed only critical vulnerabilities from the past year or so. If you have not patched your systems for a length of time, it is highly recommended that you patch the vulnerabilities listed in the Top-20 2005 list as well as those in the 2006 list. At the end of this document, you will find a short SANS Top-20 FAQ (frequently asked questions) that answers questions you may have about the project and the way the list is created. The SANS Top-20 2006 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and
Version 7.0 November 15, 2006 Copyright © 2006, SANS Institute Questions / comments may be directed to firstname.lastname@example.org. To link to the Top 20 List, use the "SANS Top 20 List" logo PDF
Want to receive updates to the Top20 list?
Subscribe to the Top20 mailing list at: http://lists.sans.org/mailman/listinfo/top20-announce Related Resources
SANS Top 20 FAQ Press Release (2006-11-15)
Top 20 In The News
Please check back
Top 20 Archive
November, 2006 - Version 7 (Current) November, 2005 - Version 6 October, 2004 - Version 5
the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations. A list of participants is at the end of this document. The SANS Top-20 is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods of protection are identified, and we welcome your input along the way. This is a community consensus document -- your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you. Please send suggestions via email to email@example.com
October, 2003 - Version 4 October, 2002 - Version 3 May, 2001 - Version 2 June, 2000 - Version 1 (Original Top 10) Top 20 List v7 Update Log
2006-11-15 - v7.0: Inital Release
Top 20 Translations
Contact firstname.lastname@example.org to collaborate in the translation of the Top 20 to your own language.
W1. Internet Explorer
Microsoft Internet Explorer is the most popular browser used for web surfing and is installed by default on each Windows system. Unpatched or older versions of Internet Explorer contain multiple...