Security, Vulnerability Scanning Program, General Information
Overview of Vulnerability Scanning Program including information on tools used and reports generated.
This document details the security vulnerability program, common sources, tools, and policies used by Security for vulnerability management at the University of Illinois. Please note that while the Cyber Security Operations Center (CSOC) performs security vulnerability scans in many instances, individual system, infrastructure, and service stewards are responsible for discovering and managing their exposures, vulnerabilities, and associated risks.
System Vulnerability Scanning
- Goal: Continuously probe university systems and networks for vulnerabilities and exposures such that the university has the most accurate and timely information.
- Goal: Provide service owners with access to accurate and timely vulnerability information.
- Goal: Perform timely scans of critical infrastructure including data centers.
- Service: Consult with stakeholders, service managers, and interested parties regarding: understanding results, understanding tools available, security scanning practices, planning/prioritizing remediation, validating results.
- Limitation: Scanning is currently scoped only to the wired network under the purview of UofI.
Application / Web application Vulnerability Scanning
- Goal: Provide recommendations and resources for application owners to perform application scans.
- Service: Provide web resources and consulting on tools available.
- Limitation: No purchased campus application scanner is currently available.
- Limitation: Application owners must know secure coding practices and steps for remediating applications.
- Limitation: Vulnerability remediation of applications must be done by application owners.
Internal / External Vulnerability Reports
- Goal: Provide a source for Internal / External agencies to report vulnerabilities.
- Goal: Review, approve, and implement appropriate external reporting and scanning services.
- Service: Validate reports and forward appropriate information to service owners and stewards.
- Service: Respond to critical vulnerabilities with appropriate action sanctioned by university leadership.
- Service: Report overall state of vulnerability detection capabilities and known campus vulnerabilities to campus leadership.
- Limitation: Internal scanning may only be conducted on services / systems owned by the unit and must use approved security tools.
- Limitation: External reports vary in quality and validation requirements may exceed staffing resources.
Network, system, and application scanning all have inherent risk. This practice is approved by both campus and Technology Services Leadership to understand campus vulnerability and risk. Where possible, internal and external scans are limited to avoid systems and service interruptions. Scanning tools and services are continuously reviewed.
Vulnerability Scanning Practice and Tools
The below tools or services are commonly utilized as sources of vulnerability data on campus.
HOW TO GET/USE
|Qualys Cloud Platform||Cloud SaaS tool used to detect and track host and network level vulnerabilities. Scanning engines are hosted on-prem and in the Qualys Cloud||IT Pros responsible for campus networks can logon to Qualys to review vulnerability data.|
|Nmap||Scriptable port scanner||Free tool; Can be downloaded, installed and used by responsible IT pros on any Linux or Windows computer|
|Dorkbot||External web application scanner run by UT Austin which continually scans all Illinois assets https://security.utexas.edu/dorkb||Privacy and Security will monitor vulnerability reports and communicate confirmed vulnerabilities to unit|
|Burp Pro||Manual/automated web application vulnerability testing tool||Security/SDG QA use only. Free version available but has limited but useful functionality.|
- Recommended Scanning Profiles have been developed for the Qualys platform. These profiles provide preconfigured scan settings that have been tested on campus systems and networks.
- Access to the Qualys platform is provided by an integration with CDB.
- Scan reports are considered confidential and should not be shared with non-stakeholders unless authorized by the campus Chief Privacy and Security Officer.
- Reports will be made available to system and service managers, their managers and directors (on request) and the Vulnerability Assessment Team.
- Qualys scans will be stored in the Security Office's logging environment for correlation with network based attacks.
Scanning Engine Source List
Technology Services maintains multiple vulnerability assessment technologies each targeting specific layer in the service delivery stack, though some degree of overlap exists in each.
Authorized scanning resources are listed below for general reference. This is a non-inclusive list as the vulnerability program needs it may use additional resources not listed here. External agencies both approved and not approved continuously scan our network for vulnerabilities. If you have questions about scanning activity from the any source, feel free to contact email@example.com
|Nmap, Nessus, custom, others*||scanner.opia.illinois.edu||220.127.116.11||*Multipurpose security scanner, other tools used as needed|
|Nmap, Nessus, custom, others*||scanner2.opia.illinois.edu||18.104.22.168||*Multipurpose security scanner, other tools used as needed|
|Qualys local network scan engine||qg00.cites.illinois.edu||22.214.171.124||Scanning appliance|
|Qualys local network scan engine||qg01.cites.illinois.edu||126.96.36.199||Scanning appliance|
|Qualys local network scan engines||qvsa[00-03].virtual.illinois.edu||188.8.131.52-184.108.40.206||Scanning appliances|
|Qualys cloud scanning engines||---||220.127.116.11/20||External scanning appliances within the Qualys Cloud Platform|
External web application scanner run by UT Austin which continually scans all Illinois assets https://security.utexas.edu/dorkbot
|Shodan||census[1-12].shodan.io||†||†There are many shodan scanners, but they all should resolve to shodan.io addresses. Use the shodan web console to enumerate info found by Shodan|
IT Security Standards and Controls Information
Scans using the recommended profile meet the controls regarding unauthenticated vulnerability scanning: - IT03.10.1 - IT04.10.1 - IT10.10.1
Separate authenticated or agent-based scans are required for High Risk systems.
Detailed information about security controls can be found at: https://cybersecurity.uillinois.edu/controls
Recurring Scan Practices
Regular vulnerability scans are conducted to maintain accurate and timely vulnerability information for campus assets. These scans are conducted with the Qualys Cloud Platform.
- Administrators and stewards are responsible for reviewing critical scan results and are expected to remedy or mitigate exposures in a timely fashion.
- Systems may be re-scanned after vulnerabilities are addressed.
- Systems that display an unusually large number of vulnerabilities, or are subject to an unusually large number of security incidents may be scanned at a higher frequency, (possibly daily or weekly) until these systems fall into the range of acceptable risk, as determined by campus.
- Every wired device on the network is to be scanned at least monthly.
- Current scanning covers 3,200 CDB asset groups and around 70,000 hosts.
- Scanning is scheduled based on asset groups in CDB and notification is sent based on primary contacts.
- For information on the CDB integration see https://answers.uillinois.edu/internal/page.php?id=108152
- The scan profile has been determined to be the minimum required to get basic vulnerability information.
- The scans currently utilize the Recommended Standard Scan Options profile.
- Devices disrupted by this type of scan are considered vulnerable by default as this indicates susceptibility to DoS or other style attacks.
- Exceptions to scanning can be requested by completing this form: https://go.illinois.edu/scanningexception
- Devices not excluded or scanned manually with this profile will be considered compliant with IT04.10.1 IT03.10.1 and IT10.10.1 vulnerability controls.
Quarterly Datacenter Scan (In place until continuous wired scan proves inclusive of this)
- Every active development or test machine in a Tech Services data center will be scanned on the third Thursday of the month. The scans will start at 10:30 AM.
- Every active production machine in a Tech Services data center will be scanned four times a year beginning at 10:30 AM on the following dates:
- Tuesday of Spring Break
- Tuesday following June 15th
- Tuesday of Fall Break
- Tuesday following January 4th
- Note that there may be some variation in the above schedule due to unexpected operational needs, however a notice will always be delivered to stakeholders containing a scan notice with the intended window prior to any scan event.
- Network scans will use all available plugins, except those deemed too impactful or inappropriate by the service manager of the scanning service.
- If a certain plugin is causing problems, system administrators should contact the service manager of the scanning service.
Network Port: A numeric identifier assigned to different TCP or UDP channels on a network interface. Although port numbers range from 0 to 65535, many well-known services have reserved port numbers between 0 and 1024 (e.g., HTTP uses port 80, Telnet uses port 23, and FTP uses ports 20 and 21.) To establish a session with a host, a network request must be sent to the appropriate port number on the host (i.e. to establish an HTTP session with a web server, your workstation software will send a request to port 80 of the web server).
Port Mapping: The process of sending packets to selected service port numbers (HTTP-80, Telnet-23, etc.) of a computing system with the purpose of collecting information such as available network services from that system. This non-invasive process is helpful for troubleshooting system problems or tightening system security. Network port scanning is an information gathering process, and when performed by unknown individuals it can be a prelude to attack.
Scanning: The process of gathering information on computing systems, which may be used for system maintenance, security assessment and investigation, and for attack. This process includes port mapping, vulnerability scanning; and at times (with the cooperation from system owners), authentication and internal information gathering. If used properly, scanning of this type is an excellent tool for protecting University information resources. Malicious scans can be a prelude to the disclosure of sensitive data, loss of service, and damage to the University's reputation in the global community.
Vulnerability Scanning: The process of identifying known vulnerabilities of computing systems on the network. This process goes a step beyond identifying the available network services of a system as performed by a network port scan. The vulnerability scan attempts to identify specific weaknesses in the operating system or application software, which can be used to compromise or crash the system. The vulnerability scan is also an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
Application Scanning: The process of identifying known vulnerabilities in software applications using automated scanning tools. These tools use methods such as querying and spidering to identify all pages and functions in a web site or application. It then tests the limits of each function or input identified with tests developed against common vulnerabilities and common OWASP Top 10 flaws such as cross-site scripting, sequel injection, injection through i-frames, cross-site request forgery, authentication bypass, and other commonly occurring issues.
For any questions please email.