Internet Security Systems (ISS) has released a useful new tool for network managers desperate to keep their security up to scratch - a Catastrophic Risk Index that lists what its X-Force (zam!) security experts feel are the 30 most important vulnerabilities currently out there.

The index is available for free online as a pdf file and is updated quarterly. Each vulnerability comes with an ISS reference number, the risk name, a brief description and the industry-norm CVE (Common Vulnerabilities and Exposures) and CAN (candidate vulnerability) numbers. Hypertext links connect to full information about the vulnerability and how to deal with it.

The idea behind the list is to enable companies to tackle the most serious problems first and then get to work sorting and patching for other problems. The 30 are selected from ISS' X-Force (pow!) database of over 10,000 vulnerabilities and, we are told, selected according to four criteria:

  • Pervasive to almost all organisations, across all industries
  • Serious threat to confidentiality, integrity and availability of critical data
  • Potential cause of catastrophic business system failure
  • Highly susceptible to virus and worm creation

So, if you grab a copy of the index and sort out those problems first, you are likely to be a better position that if you hadn't. Plus, of course, if you are a customer of ISS (as it seems most huge companies are), you get to benefit from the whole range of its trademarked services, such as X-Force™(zap!), Internet Scanner®, SiteProtector™, RealSecure®, Proventia™, Virtual Patch™ and, of course, Dynamic Threat Protection™.

But hang on, you say, doesn't a list like this already exist? What about the SANS/FBI Top 20? Well, yes indeed, but X-Force (kazaam!) explains that its CRI and the SANS Top 20 are "complementary standards".

See if you can spot the difference:

  • The X-Force (whooosh!) CRI is a catalog of specific threats that represent the most serious and dangerous risks to the computing environment
  • The SANS Top 20 is a list of the 20 most vulnerable services as determined by a security community consensus

In English, this presumably means that SANS is decided on the size of the problem and the new CRI list by the importance of the problem. This may just be semantics but a quick comparison of the latest versions of both lists shows that the SANS list (which is much bigger in reality since it includes all the associated vulnerabilities) only has 10 of the 30 on ISS' list.

In this sense, a list of hand-picked vulnerabilities is always going to be useful for a busy network manager. And ISS no doubt hopes posting the list with associated information will entice people into using its services.