CSU, Chico Vulnerability Scanning

Parent Policy: 8020.0 Information Security Risk Management

Purpose

To provide a common set of methodologies and requirements to standardize vulnerability scans on campus systems, applications and networking infrastructure.

Background

Vulnerability scans provide critical information to the Information Security Office and management as part of the risk assessment process for campus systems. Vulnerability scans also provide a mechanism for system administrators to assess the security posture of the servers they manage by probing the system for open ports, services and application and operating system patch levels. Open ports are queried for information regarding what services are listening and each service is compared against a database of known vulnerabilities or issues. System Administrators can utilize vulnerability scan reports to assess the security posture of their system and outline remediation tasks required to bring the system into compliance. 

Discovery Scans

A discovery scan involves scanning the campus network for connected systems and identifying services these systems provide. Discovery scans are lightweight scans that do not analyze discovered services for vulnerabilities or exploits. The Information Security Office performs quarterly discovery scans of all server subnets on campus, which are approved by CAB, as well as on-demand scanning.

Vulnerability Scans

A vulnerability scan examines information provided by discovery scans and performs a more in-depth scan against a designated system or network. These results are compared against an industry-vetted database of vulnerabilities and exploits and provides a report to the Information Security Office. The Information Security Office provides vulnerability reports to System Administrators and System Owners bi-weekly if high vulnerabilities are found and by request. The Information Security Office performs weekly security baseline scans against all systems to establish a security baseline for campus. These scans inspect identified services for potential vulnerabilities using only industry tested, low impact and non-intrusive methods.

Credentialed Vulnerability Scans

Credentialed scans are scans that actively attempt to verify vulnerabilities discovered on a system.  The Information Security Office performs credentialed scans using the campus vulnerability scanner and has the ability to perform penetration tests using a variety of security tools.  The Information Security Office will coordinate with support personnel prior to performing any of these actions. The Information Security Office will provide reports to the appropriate individuals upon the completion of these scans.