Six years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to worms like Blaster, Slammer, and Code Red have been on SANS Top20 lists.

The SANS Top-20 2006 list is not "cumulative." We have listed only critical vulnerabilities from the past year or so. If you have not patched your systems for a length of time, it is highly recommended that you patch the vulnerabilities listed in the Top-20 2005 list as well as those in the 2006 list. At the end of this document, you will find a short SANS Top-20 FAQ (frequently asked questions) that answers questions you may have about the project and the way the list is created.

The SANS Top-20 2006 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations. A list of participants is at the end of this document.

The SANS Top-20 is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods of protection are identified, and we welcome your input along the way. This is a community consensus document -- your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you. Please send suggestions via e-mail to top20@sans.org