Overview of Vulnerability Scanning Program including information on tools used and reports generated.
This document details the security vulnerability program, common sources, tools, and policies used by Security for vulnerability management at the University of Illinois. Please note that while the Cyber Security Operations Center (CSOC) performs security vulnerability scans in many instances, individual system, infrastructure, and service stewards are responsible for discovering and managing their exposures, vulnerabilities, and associated risks.
System Vulnerability Scanning
Application / Web application Vulnerability Scanning
Internal / External Vulnerability Reports
Network, system, and application scanning all have inherent risk. This practice is approved by both campus and Technology Services Leadership to understand campus vulnerability and risk. Where possible, internal and external scans are limited to avoid systems and service interruptions. Scanning tools and services are continuously reviewed.
The below tools or services are commonly utilized as sources of vulnerability data on campus.
HOW TO GET/USE
|Qualys Cloud Platform||Cloud SaaS tool used to detect and track host and network level vulnerabilities. Scanning engines are hosted on-prem and in the Qualys Cloud||IT Pros responsible for campus networks can logon to Qualys to review vulnerability data.|
|Nmap||Scriptable port scanner||Free tool; Can be downloaded, installed and used by responsible IT pros on any Linux or Windows computer|
|Dorkbot||External web application scanner run by UT Austin which continually scans all Illinois assets https://security.utexas.edu/dorkb||Privacy and Security will monitor vulnerability reports and communicate confirmed vulnerabilities to unit|
|Burp Pro||Manual/automated web application vulnerability testing tool||Security/SDG QA use only. Free version available but has limited but useful functionality.|
|OWASP Zed Attack Proxy (ZAP)||Web application vulnerability testing tool.|
Can be used with the Desktop Graphical User Interface or Docker.
|Free tool; Can be downloaded, installed and used by responsible IT pros.|
Documentation, including their Getting Started Guide, is available .
Technology Services maintains multiple vulnerability assessment technologies each targeting specific layer in the service delivery stack, though some degree of overlap exists in each.
Authorized scanning resources are listed below for general reference. This is a non-inclusive list as the vulnerability program needs it may use additional resources not listed here. External agencies both approved and not approved continuously scan our network for vulnerabilities. If you have questions about scanning activity from the any source, feel free to contact email@example.com
|Nmap, Nessus, custom, others*||scanner.opia.illinois.edu||22.214.171.124||*Multipurpose security scanner, other tools used as needed|
|Nmap, Nessus, custom, others*||scanner2.opia.illinois.edu||126.96.36.199||*Multipurpose security scanner, other tools used as needed|
|Qualys local network scan engine||qg00.cites.illinois.edu||188.8.131.52||Scanning appliance|
|Qualys local network scan engine||qg01.cites.illinois.edu||184.108.40.206||Scanning appliance|
|Qualys local network scan engines||qvsa[00-03].virtual.illinois.edu||220.127.116.11-18.104.22.168||Scanning appliances|
|Qualys cloud scanning engines||---||22.214.171.124/20||External scanning appliances within the Qualys Cloud Platform|
External web application scanner run by UT Austin which continually scans all Illinois assets https://security.utexas.edu/dorkbot
|Shodan||census[1-12].shodan.io||†||†There are many shodan scanners, but they all should resolve to shodan.io addresses. Use the shodan web console to enumerate info found by Shodan|
Scans using the recommended profile meet the controls regarding unauthenticated vulnerability scanning: - IT03.10.1 - IT04.10.1 - IT10.10.1
Separate authenticated or agent-based scans are required for High Risk systems.
Detailed information about security controls can be found at: https://cybersecurity.uillinois.edu/controls
Regular vulnerability scans are conducted to maintain accurate and timely vulnerability information for campus assets. These scans are conducted with the Qualys Cloud Platform.
Quarterly Datacenter Scan (In place until continuous wired scan proves inclusive of this)
Network Port: A numeric identifier assigned to different TCP or UDP channels on a network interface. Although port numbers range from 0 to 65535, many well-known services have reserved port numbers between 0 and 1024 (e.g., HTTP uses port 80, Telnet uses port 23, and FTP uses ports 20 and 21.) To establish a session with a host, a network request must be sent to the appropriate port number on the host (i.e. to establish an HTTP session with a web server, your workstation software will send a request to port 80 of the web server).
Port Mapping: The process of sending packets to selected service port numbers (HTTP-80, Telnet-23, etc.) of a computing system with the purpose of collecting information such as available network services from that system. This non-invasive process is helpful for troubleshooting system problems or tightening system security. Network port scanning is an information gathering process, and when performed by unknown individuals it can be a prelude to attack.
Scanning: The process of gathering information on computing systems, which may be used for system maintenance, security assessment and investigation, and for attack. This process includes port mapping, vulnerability scanning; and at times (with the cooperation from system owners), authentication and internal information gathering. If used properly, scanning of this type is an excellent tool for protecting University information resources. Malicious scans can be a prelude to the disclosure of sensitive data, loss of service, and damage to the University's reputation in the global community.
Vulnerability Scanning: The process of identifying known vulnerabilities of computing systems on the network. This process goes a step beyond identifying the available network services of a system as performed by a network port scan. The vulnerability scan attempts to identify specific weaknesses in the operating system or application software, which can be used to compromise or crash the system. The vulnerability scan is also an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
Application Scanning: The process of identifying known vulnerabilities in software applications using automated scanning tools. These tools use methods such as querying and spidering to identify all pages and functions in a web site or application. It then tests the limits of each function or input identified with tests developed against common vulnerabilities and common OWASP Top 10 flaws such as cross-site scripting, sequel injection, injection through i-frames, cross-site request forgery, authentication bypass, and other commonly occurring issues.
For any questions please email.