• Vulnerability Management User Guide
• Vulnerability Management Overview
• Vulnerability Management Program - Priorities

What are we doing?

• Daily scanning of every host on campus with a variety of tools: including Tenable.sc Nessus, Nessus Agents and Nmap
• Routine reporting of results into dashboards (and raw data) for the IT community to leverage and track
• Escalating some more significant results into network quarantines based on Vulnerability Management Program Priorities

Where do I start?

• Step #1: Make sure our systems can talk to you!
  • Allow the following subnet to connect to every port (if possible): 146.6.161.0/25
  • If that is not possible, at the very least allow the following:
    • Linux: 22 (TCP)
    • Windows: 139 (TCP), 445 (TCP)
       
• Step #2: Make sure we can do credentialed scans, or install a Nessus Agent.
  • For Windows hosts, make sure that the austin domain account austin.utexas.edu/iso65 has administrative access. If you still have problems, check here: https://community.tenable.com/s/article/Troubleshooting-Credential-scanning-on-Windows
  • For Linux hosts, make sure that iso65 is setup as a user and can login with the following public key:
    • ssh-rsa 

AAAAB3NzaC1yc2EAAAABIwAAAQEApl/oEDMHKaVAObrkCA7o/gJgXAFKS6Ty+Hinu17oz/Gxd++ggtEXD3bTZ2XQbwwLcCfFYQPdHo408sslZnPTbwTdBH0KWn1NvELVIKG0zTCZLtpo/o/T6AFjyCRqpaCsi+ohcbsMp8bD4e8UhLq7fGO2922+p/Hk3R/lyNp8UV11VuZImdLGrXOHRkcmwwgUC7oKcnKdLIQOtoahj/5fStjtPbFrfdNAPi+p0rtjWe1HQo0tPEc7eFFJI/luvfrG5vzxaPJYMJbdm3idIVUgo8VAFVyC9qhdkmLstmb5i2W8YCby5qRCYdMqmbJGiELxWpI7aYqlwtebhOicK2GSVw== iso65@utexas.edu

•  
  • Note: we do NOT recommend that you set iso65 up with root privileges at this time.
  • Nessus Agents: These are client-side applications that perform thorough, accurate scans of hosts without the need for traditional, credentialed network vulnerability scans. More information, including deployment instructions, can be found at security.utexas.edu/nessus-agents.
     
• Step #3: Look at your data!
  • Start here: https://splunk.security.utexas.edu/en-US/app/mss_app/tenable_hosts?form.filter=deptcode%3DYOUR_FOUR_LETTER_DEPTCODE_HERE
  • You should be able to see your highest risk vulnerabilities and systems at the top. If you get no results after entering your department code, fill out this form: https://forms.security.utexas.edu/splunk_onboarding/splunk_onboarding
    • Under requested indexes, enter "utexas-chomp"

How does Vulnerability Management work?

• Step #1: On a daily basis, vulnerabilities are automatically added and updated based on changes in the industry. These updated vulnerability checks are added to the campus-wide vulnerability scans that occur daily.
• Step #2: The ISO will apply a risk rubric to the vulnerability results that are generated from the vulnerability scans, which are based on risk, threat level, pervasiveness, etc.
• Step #3: If the vulnerability is widespread (hundreds of systems), the ISO will begin a phased approach to mitigation.
  • Phase #1: Leverage an automated daily scan cadence that will let departments get quick feedback on their remediation efforts.
  • Phase #2: Notify departmental contacts with large lists in csv format so they can begin remediation
  • Phase #3: Once the mitigation has sufficiently progressed (down to 10s of systems), these notices will be transitioned into 30 or 7 day quarantine notices.
  • Phase #4: Depending on the risk of the vulnerability, increase to immediate quarantine.
• Note: if the vulnerability is seen on fewer than 100 systems, the ISO may start at Phase 3, and will rarely start at Phase 4, depending on the severity of the vulnerability and generally with notification to the campus IT community.

How do vulnerability notifications work?

•  Our vulnerability management notifications use Isora's contact info for a host (when the host is present in Isora and we can match on identifying data).
• When we're able to match a vulnerable host to a host in Isora (or identify a vulnerable host's owning department code), we include all the Isora IT Staff and Assessment Manager contacts linked to the host's owning department code.
• If there are host-specific contacts designated in the host entry (e.g., Owners, IT Contacts, Users), we also include those folks in the vuln notification.
• For each inventory sheet, you can select which host-specific fields you want to be included in security notifications. You can review more details on this process in our Isora documentation. 

Why do we need vulnerability management?

In order to reduce information security risks, the UT Information Security Office (ISO) conducts daily vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. The ISO may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers.  The data from the tools used by the ISO are also made available to the IT support community. 

Which systems/services/applications will be scanned?:

All systems and applications connected to the campus network will be scanned. Systems and applications hosted in other networks using university domain names will also be in scope for assessment.

When will vulnerability assessments be conducted?:

It is possible that high priority vulnerabilities will be assessed on a very active schedule (e.g., hourly) given the threat they present.   Other lower risk vulnerabilities will be assessed on a daily basis.

Where will vulnerability scans emanate from?:

The UT ISO employs a wide variety of scanning resources.  Some of these exist on campus, while others leverage networks external to campus to ensure the proper visibility can be obtained.  The ISO does disclose the network location of on-campus scanning resources to the IT support community (See User Guide).  It is important that the IT support community avoid actively filtering or blacklisting these on-campus scanning resources.

What data is collected and how will it be used?:

Vulnerability scanning and other passive detection capabilities will provide an inventory of vulnerabilities and the related weightings. This data will be treated as Confidential university data. In addition, the vulnerability assessment processes should not cause network outages although system and application administrators may see log entries of the activity reflected in their logs. Additionally, printers using legacy protocols (e.g., jetdirect, lpd) could print pages when being scanned -- such devices should be configured to use more secure printing protocols (e.g., IPP) or should have a exception requested to exclude them from scanning. Note exceptions for printers exposed to the global Internet will not be permitted.

What Information Security Policy and Standards is this based on?:

The UT Information Security Office’s minimum security standards form the basis of this program and requires that any system or application in scope be regularly assessed for security vulnerabilities:

Information Resources Use and Security Policy
https://security.utexas.edu/policies/irusp

Minimum Security Standards for Systems
https://security.utexas.edu/policies/minimum-security-standards-systems

Minimum Security Standards for Mission-Critical Systems
https://security.utexas.edu/policies/minimum-security-standards-mission-critical-systems

Minimum Security Standards for Application Development and Administration
https://security.utexas.edu/policies/standards_application

Critical (Priority - 1):

Vulnerabilities that are remotely exploitable with little effort or sophistication, which could result in compromise of a system or application.  Examples of such a vulnerability include systems vulnerable to remote/local code execution attacks, applications vulnerable to attacks that lead to data exfiltration, systems/applications no longer supported by manufacturer/vendor, vulnerable systems used to launch attacks against others, etc.  

Important (Priority - 2):

Vulnerabilities that are highly susceptible to exploitation through focused and/or targeted attack. Examples of such a vulnerability include network services that susceptible to brute-force attack, weak or compromised encryption, network services that should generally not be exposed to the global Internet.

Moderate (Priority - 3):

Vulnerabilities that are lower risk and may require a high-level of sophistication, but that could increase the attack surface for the university network, expose confidential data or could unnecessarily elevate the overall risk to the campus.  Examples include systems running commodity IT services not located in an approved campus data center, systems using self-signed certificates for services used by several users, site does not enforce HTTPS, etc.  

Informational (Priority - 4):

This classification is intended to raise awareness of configurations, services or use cases that could potentially present an unnecessary risk to the unit or to the campus at large.