To provide a common set of methodologies and requirements to standardize vulnerability scans on campus systems, applications and networking infrastructure.
Vulnerability scans provide critical information to the Information Security Office and management as part of the risk assessment process for campus systems. There are three types of vulnerability scans in use at Humboldt State. Vulnerability scans also provide a mechanism for system administrators to assess the security posture of the servers they manage by probing the system for open ports, services and application and operating system patch levels. Open ports are queried for information regarding what services are listening and each service is compared against a database of known vulnerabilities or issues. System Administrators can utilize vulnerability scan reports to assess the security posture of their system and outline remediation tasks required to bring the system into compliance.
A discovery scan involves scanning the campus network for connected systems and identifying services these systems provide. Discovery scans are lightweight scans that do not analyze discovered services for vulnerabilities or exploits. The Information Security Office performs weekly discovery scans of all server subnets on campus as well as on demand scanning.
A vulnerability scan examines information provided by discovery scans and performs a more in-depth scan against a designated system or network. The campus scanner then compares these results against an industry-vetted database of vulnerabilities and exploits and provides a report to the Information Security Office. The Information Security Office provides vulnerability reports to System Administrators and System Owners upon request. The Information Security Office performs weekly security baseline scans against all systems to establish a security baseline for campus. These scans inspect identified services for potential vulnerabilities using only industry tested, low impact and non-intrusive methods.
Intrusive scans and penetration testing are scans that actively attempt to verify vulnerabilities discovered on a system. The Information Security Office performs intrusive scans using the campus vulnerability scanner and penetration tests using a variety of security tools. The Information Security Office will coordinate with support personnel prior to running either of these scans. The Information Security Office will provide reports to the appropriate individuals upon the completion of these scans.
The Information Security Office provides vulnerability scanning as a service to the campus community. The Information Security Office will remove network access for any unauthorized scanners discovered on the network. Information Security Office personnel are available for questions regarding vulnerability scanners and scheduling vulnerability scans.