The System Administration, Networking and Security Institute, a Bethesda, Md.-based education organization for computer security, worked with the FBI's National Infrastructure Protection Center, the Federal Chief Information Officer Council and more than 50 security experts to gather the list, said Alan Paller, SANS director.
The list includes several well-known problems, including vendors shipping their programs in the least-secure form, Microsoft buffer overflows and problems with Sendmail, the e-mail utility in Unix and Linux systems.
SANS doubled the size of last year's list to focus on Windows and Unix, Paller said, and Microsoft took an active role in ensuring the accuracy and completeness of the Windows-related items.
"With the attacks on the World Trade Center and the Pentagon, we realize that it's not always possible to see the enemy coming," Paller said. "The enemies today are no longer simply recreational hackers ... we're here to announce a community-wide program to stamp out the vulnerabilities that made most of the large attacks possible."
Those security holes leave the Internet unprepared for a large-scale attack, either at or beyond the scope of the recent "Code Red" and "Nimda" worms, Paller said.
The worldwide base of Internet users is now too large and too diverse for an ongoing "find and patch" approach to work, said John Gilligan, the U.S. Air Force's deputy CIO and chairman of the CIO Council's security committee.
"It is clear that the quality of software design and testing in the past does not measure up to the needs of the present or the future," Gilligan said. "I challenge the leaders in the software industry, especially in the wake of the physical attacks on this nation, to establish new standards of software quality, as well as effective methods to reduce the impact of current vulnerabilities."
The computer industry's 40 years of experience creating problem-free software has not completely carried through to commercial products, but vendors are starting to stem the security-hole tide, Gilligan said. Vendors have said in the past applying more stringent quality controls will drive prices up, but Gilligan said government agencies are prepared to spend that kind of money. The rest of corporate America likely will follow this trend, he said.
Gilligan and the other speakers stopped short of suggesting the government mandate the more-expensive development measures.
While major corporations have staff dedicated to computer security, the problem is rapidly escaping the reach of individuals or small businesses, said Robert Gerber, NIPC's chief of analysis and warning.
"The SANS Top 20 list is not a quick-fix check," Gerber said. "Yet in those 20 vulnerabilities, there are two that translate into immediate action that any computer user should take: The use of strong passwords and making regular backups of your critical data."
Other steps home personal computer users should take include installing anti-virus and firewall software, Gerber said, as well as not leaving PCs connected to the Internet indefinitely, via DSL or cable modem hookups. Some individual user vulnerabilities will require the attention of a trusted third party, such as an Internet service provider, he said, and added the NIPC will establish a section of its Web site, nipc.gov, to directly address such issues.
Paller said a free, currently available system-scanning tool will be immediately modified to check for the 20 vulnerabilities. Security software vendors also are expected to create similar tools, he said.
Looking forward, Gerber said additional hacking attacks are likely in the wake of the Sept. 11 attacks, especially politically motivated actions. And regardless of whether hackers have a truly malicious intent, worms such as "Nimda" will continue to cause Net slowdowns if not actual damage, he said.