Implements: ISO Domain 12: Operations Security Standard
Standard: CSU Chico Vulnerability Management Baseline Standard (PDF)
Vulnerability Scanning
Background
Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. It ranks fourth on the Top 20 Critical Security Controls list [1] stating that organizations “continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.” Vulnerability scans provide critical information to the Information Security Office and management as part of the risk assessment process for campus systems. Additionally, System Administrators utilize vulnerability scan reports to assess the security posture of their system and outline remediation tasks required to bring their system into compliance.
Vulnerability Management Information
(*Restricted Access – credentials required*)
Server Vulnerability Scanning Procedures
Web Application Vulnerability Scanning Procedures
Vulnerability Management
Vulnerability scans are conducted on all devices connected to the campus network including servers and web applications. For a successful comprehensive scan, a server or web application must be properly configured in the Vulnerability Management Scanner. Information regarding procedures and guidelines for scanning, setup of server and web application scanning, non-server operating systems, vulnerability classifications, vulnerability exceptions, and weighted server risk reports can be found on the ISEC Wiki (*Restricted Access – credentials required*).
Credentialed (Authenticated) Vulnerability Scans
Credentialed, or authenticated scans, are far more accurate than un-credentialed scans because they connect using an account on the system being scanned. These scans are necessary to detect many critical zero-day vulnerabilities. Tests performed by ISEC demonstrated that un-credentialed scans identify less than 10% of the critical severity vulnerabilities that a credential scan will detect. Credentialed scans are also more efficient and lower impact because the detection mechanisms are more defined. Credentialed scans search for software versions, perform tests, and scan Windows registries. ISEC requires that credentialed scans occur on a weekly basis.
Discovery Scans
A discovery scan involves scanning the entire campus network for connected systems and identifying services these systems provide. Discovery scans are low impact because they do not analyze discovered services for vulnerabilities or exploits. The Information Security Office performs quarterly discovery scans of all server subnets on campus, which are approved by CAB, as well as on-demand scanning.
Severity Definitions
The Vulnerability Management scanner assigns every vulnerability in its KnowledgeBase a severity level, which is determined by the security risk associated with its exploitation. The possible consequences related to each vulnerability gathered are described below.
| LEVEL | DESCRIPTION |
| Urgent | Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors. |
Critical | Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host. |
Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying. | |
| Medium | Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions. |
| Minimal | Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities. |