The University critical device scanning program uses commercial software to scan critical University systems. The goal of the program is to identify vulnerabilities for correction before networks and systems are compromised. The purpose of this procedure is to ensure that security controls are in place and are effective.
How does the scanning tool work?
The scanning tool has two primary functions. First, through its network discovery and mapping function, it can discover network devices and applications, as well as many other network elements.
Second, the scanning tool actively probes for system vulnerabilities. It performs a multi-level scan using an extensive database of known security holes to identify common system vulnerabilities, many of which are the result of oversights such as misconfigurations or missing patches. Many of the vulnerabilities are included in the CERT, CIAC and SANS advisories.
The scanning tool produces a detailed security report, often including detailed instructions on how to remediate or mitigate the identified vulnerability.
The tool assigns a vulnerability category and a severity level for each vulnerability detected. Vulnerability categories are:
- Vulnerability - Represented as Level 1-5, a design flaw or misconfiguration that makes the network, or a host on the network, susceptible to malicious attacks from local or remote users. Vulnerabilities can exist in firewalls, FTP servers, Web servers, operating systems or CGI bins. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to a complete compromise of the host.
- Possible Threats - Include all vulnerabilities that cannot be confirmed. The only way to verify their existence would be to perform an intrusive scan on the network, which could result in a denial of service. You are urged to investigate potential vulnerabilities further.
- Information Gathered - Includes visible information about the network related to the host, such as traceroute information, ISP, or a lost of reachable hosts. Severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of open TCP services.
The vulnerability classification helps to prioritize scan results. A severity level indicates the security risk posed by exploitation of the vulnerability and its degree of difficulty. The results of successful exploitation of vulnerability can vary from disclosure of information about the host to its complete compromise.
Under what circumstances may a scan be conducted?
1. Scans conducted by distributed UA IT professionals
Authorized system administrators, network engineers and security analysts may scan individual critical devices or entire network segments within their administration. Because UA has a limited number of licenses, computers entered in the Critical Device Registry are given priority for vulnerability scanning.
Network discovery and mapping may be performed without limitation on entire network segments within a Network Manager's administration.
To register for an account, a UA employee must:
- Read the tutorial in the Quickstart guide
- Be registered in the Network Manager database for all IP addresses to be scanned for vulnerabilities or IP address ranges to be mapped
To request an account, qualified persons should contact the Information Security Office (InfoSec) by means of the email address at the bottom of this page with the following information:
- Requestor's name
- Unit's name
- Name of the dean, director or department head who is ultimately responsible for the data stored in the computers to be scanned (who is known for this purpose as the "Executive Business Unit Manager")
- For network discovery and mapping, the unit's IP address range
- For vulnerability scanning, the IP addresses of devices to be scanned
- All devices must have been registered in the Critical Device Registry (http://security.arizona.edu/cdi) prior to scanning for vulnerabilities
InfoSec will contact the requestor with additional information and instructions.
2. Scheduled scans conducted by InfoSec/UITS
InfoSec and University Information Technology Services (UITS) may coordinate and conduct scheduled, non-credentialed scans to reduce the vulnerability of University computers to attacks, denial of service and other security risks from both inside and outside the University. The vulnerability assessments will include selective probes of communication services, operating systems and applications to identify high-risk system weaknesses that could be exploited to gain unauthorized access to the UA network and data. The scans will not search the content of personal electronic files on the scanned systems (although InfoSec and UITS may scan for personal information on any system in response to a security breach or compromise, or to ensure compliance with university policy). Information gathered will be used for network management, including notifying units of vulnerabilities, determining incorrectly configured systems, validating firewall access requests and gathering network census data.
The scheduled scan process involves five possible steps:
- Schedule/Notification - Critical servers are scheduled for regular scans. The enterprise administrative systems (SIS, Matrix, FRS and PSOS) may be scanned more frequently. Server administrators are contacted to schedule or confirm time periods to run the scan, as well as which servers to scan.
- Scan - A pre-scan verifies the operating system. The type of scan and time/date are set. At the scheduled time and date, the scan tool performs each vulnerability test and produces a vulnerability report.
- Evaluation of Scan Results - The reports are evaluated for vulnerabilities. System administrators are notified if vulnerabilities identified as Level 4 or 5 by the tool or high risk through analysis are found. They are notified to (1) remediate the vulnerability, (2) mitigate the risk of the vulnerability, or (3) document why the vulnerability cannot be remediated or mitigated or does not pertain. An example of a mitigating action is moving a vulnerable service port behind a host-based firewall. This action simply protects the system against exposure of the vulnerability but does not remediate the vulnerability, as applying a patch would. Corrective action must be taken as specified in the timelines below.
- Report Distribution - All technical scan reports are sent to the system administrator with a memo explaining what to do and requesting that they review and notify InfoSec of changes to the list of critical devices to be scanned in the future. A copy of the scan report is filed in the InfoSec office.
- Re-scan (as necessary) - Re-scans are scheduled as soon as notification is received that previously identified vulnerabilities have been resolved. A copy of the scan report is filed in the InfoSec office.
3. Unscheduled scans conducted by InfoSec/UITS
InfoSec and UITS may conduct unscheduled scans to reduce the vulnerability of University computers to attacks, denial of service and other security risks from both inside and outside the University, or to investigate a security incident.
What is the timeline for corrective action for identified high risk vulnerabilities?
After a system administrator is notified by InfoSec or UITS that a scan has identified vulnerabilities identified as Level 4 or 5, corrective action must be taken within the following timelines. In addition, Level 1-3 vulnerabilities should be examined for corrective action within the following timelines. The timelines are also recommended for vulnerabilities identified by system administrators. If it is determined that corrective action cannot or should not be taken, an exception must be approved by the UISO in accordance with the Exceptions Procedure.
Server Containing or Accessing Data
| Data Classification |
Timeline for Corrective Action |
||
| Level 4-5 Vulnerability |
Level 3 Vulnerability |
Level 1-2 Vulnerability |
|
| Personally Identifiable Information |
3 days |
1 week Recommended |
2 weeks Recommended |
| Other Confidential University Data |
1 week Required |
2 weeks Recommended |
2 weeks Recommended |
| All Other Data |
2 weeks Required |
2 weeks Recommended |
30 days Recommended |
Workstation Containing or Accessing Data
| Data Classification |
Timeline for Corrective Action |
||
| Level 4-5 Vulnerability |
Level 3 Vulnerability |
Level 1-2 Vulnerability |
|
| Personally Identifiable Information |
1 week Required |
2 weeks Recommended |
2 weeks Recommended |
| Other Confidential University Data |
2 weeks Required |
2 weeks Recommended |
30 days Recommended |
| All Other Data |
2 weeks Required |
30 days Recommended |
30 days Recommended |
Where a reboot is required to remove a vulnerability:
- Level 4-5 - Emergency reboot procedures must be enacted
- Level 3 - Reboot should be scheduled at the earliest possible time
- Level 1-2 - Next scheduled maintenance period should be used
All italicized terms are used in this standard are defined in the Information Security Terms Guideline.
Authorities:
- Information Security Policy (IS-100)
- Information Security Terms Guideline (IS-G100)
- Exceptions Procedure (IS-P100)
- Data Classification Standard (IS-S302)
- University Network Operational Standard (IS-S602)
- Minimum Security for Networked Devices Standard (IS-S701)
- Server Security Standard (IS-S702)
Initial Draft: 10/31/08
UA-ISAC Review: 4/2/09
Effective Date: 7/1/09
