Table of Contents

Vulnerability Management - User Guide

What are we doing?

  • Routine scanning of every host on campus with a variety of tools including tenable.sc and nmap
  • Reporting of results into dashboards, e.g:
  • Turning results into quarantines during Vulnerability Mitigation Campaigns*

Where do I start?

  • Step #1: Make sure our systems can talk to you!
    • Allow the following subnet to connect to every port (if possible): 146.6.161.0/25
    • If that is not possible, at the very least allow the following:
      • Linux: 22 (TCP)
      • Windows: 139 (TCP), 445 (TCP)
         
  • Step #2: Make sure we can do credentialed scans, or install a Nessus Agent.
AAAAB3NzaC1yc2EAAAABIwAAAQEApl/oEDMHKaVAObrkCA7o/gJgXAFKS6Ty+Hinu17oz/Gxd++ggtEXD3bTZ2XQbwwLcCfFYQPdHo408sslZnPTbwTdBH0KWn1NvELVIKG0zTCZLtpo/o/T6AFjyCRqpaCsi+ohcbsMp8bD4e8UhLq7fGO2922+p/Hk3R/lyNp8UV11VuZImdLGrXOHRkcmwwgUC7oKcnKdLIQOtoahj/5fStjtPbFrfdNAPi+p0rtjWe1HQo0tPEc7eFFJI/luvfrG5vzxaPJYMJbdm3idIVUgo8VAFVyC9qhdkmLstmb5i2W8YCby5qRCYdMqmbJGiELxWpI7aYqlwtebhOicK2GSVw== iso65@utexas.edu

 

*How will Vulnerability Mitigation Campaigns work?

  • Step #1: The ISO will identify a particularly high-risk vulnerability that is visible via its toolset.
  • Step #2: The ISO will do an initial assessment to see how widespread the vulnerability is.
  • Step #3: If the vulnerability is widespread (hundreds of systems), the ISO will begin a phased approach to mitigation.
    • Phase #1: Create an accelerated scan cadence that will let departments get quick feedback on their remediation efforts.
    • Phase #2: Notify departmental contacts with large lists in csv format so they can begin remediation
    • Phase #3: Once the mitigation has sufficiently progressed (down to 10s of systems), start by setting either a 30 or 7 day quarantine. 
    • Phase #4: Depending on the risk of the vulnerability, increase to immediate quarantine.
  • Note: if the vulnerability is seen on fewer than 100 systems, the ISO may start at Phase 3, and will rarely start at Phase 4, depending on the severity of the vulnerability.

Vulnerability Management Overview

 

Why do we need vulnerability management?:

In order to reduce information security risks, the UT Information Security Office (ISO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. The ISO may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers.  Many of the tools used by the ISO will also be made available to the IT support community. 

Which systems/services/applications may be scanned?:

All systems and applications connected to the campus network may be scanned. Systems and applications hosted in other networks using university domain names will also be in scope for assessment.

When will vulnerability assessments be conducted?:

It is possible that high priority vulnerabilities will be assessed on a very active schedule (e.g., hourly) given the threat they present.   Other lower risk vulnerabilities will be assessed on less frequent cadences (e.g., daily, weekly, monthly) depending on their respective risk profile.

Where will vulnerability scans emanate from?:

The UT ISO employs a wide variety of scanning resources.  Some of these exist on campus, while others leverage networks external to campus to ensure the proper visibility can be obtained.  The ISO does disclose the network location of on-campus scanning resources to the IT support community (See User Guide).  It is important that the IT support community avoid actively filtering or blacklisting these on-campus scanning resources.

What data is collected and how will it be used?:

Vulnerability scanning and other passive detection capabilities will provide an inventory of vulnerabilities and the related criticalities. This data will be treated as Confidential university data. The vulnerability assessment processes will not aim to search the content of personal electronic files on the scanned systems unless they are exposed to the public. In addition, the vulnerability assessment processes should not cause network outages although system and application administrators may see log entries of the activity reflected in their logs.

What Information Security Policy and Standards is this based on?:

The UT Information Security Office’s minimum security standards form the basis of this program and requires that any system or application in scope be regularly assessed for security vulnerabilities:

 

Information Resources Use and Security Policy
https://security.utexas.edu/policies/irusp

Minimum Security Standards for Systems
https://security.utexas.edu/policies/minimum-security-standards-systems

Minimum Security Standards for Mission-Critical Systems
https://security.utexas.edu/policies/minimum-security-standards-mission-critical-systems

Minimum Security Standards for Application Development and Administration
https://security.utexas.edu/policies/standards_application

Vulnerability Management Program - Priorities

 

Critical (Priority - 1):

Vulnerabilities that are remotely exploitable with little effort or sophistication, which could result in compromise of a system or application.  Examples of such a vulnerability include systems vulnerable to WannaCry attacks, remote/local code execution attacks, applications vulnerable to attacks that lead to data exfiltration, systems/applications no longer supported by manufacturer/vendor, vulnerable systems used to launch attacks against others, etc.  

 
ISO ActionRequired Remediation
  • Notice sent to unit's IT contacts with bcc: to unit head.
  • Immediate network quarantine or user disable triggered.
  • System or application must be patched, updated, or otherwise secured to ensure it is no longer vulnerable to the related attack vector.
  •  Unit's delegate removes quarantine once secured.

 

Examples  
  • Systems vulnerable to amplification attacks
  • System with default/missing passwords
  • Authentication bypass
  • Application vulnerabilities like: SQLi, OSi, XSS, RFI, LFI
  • Systems vulnerable to EternalBlue/WannaCry
  • Trivial privilege escalation 
  • Misconfigured proxies
  • Open X servers
  • Open/accessible databases (e.g., Redis, MongoDB)

 

Important (Priority - 2):

Vulnerabilities that are highly susceptible to exploitation through focused and/or targeted attack. Examples of such a vulnerability include network services that susceptible to brute-force attack, weak or compromised encryption, network services that should generally not be exposed to the global Internet.

ISO ActionRequired Remediation
  • Notice sent to unit's IT contacts with bcc: to unit head.
  • Delayed network quarantine triggered (effective 168-hrs or 7-days from notification).
  • System or application must be patched, updated, or otherwise secured to ensure it is no longer vulnerable to the related attack vector.
  •  Unit's delegate removes quarantine once secured.

 

Examples  
  • Network services highly vulnerable to password-based brute force attacks (SSH / VNC / RDP / Telnet / FTP / TFTP) exposed to global Internet.
  • Expired/insecure SSL certificates.
  • Database services (MySQL, MS-SQL, PostgreSQL, Oracle, etc.) exposed to global Internet.
  • Weak embedded devices (printers, IoT, etc.) exposed to global Internet.

 

Moderate (Priority - 3):

Vulnerabilities that are lower risk and may require a high-level of sophistication, but that could increase the attack surface for the university network, expose confidential data or could unnecessarily elevate the overall risk to the campus.  Examples include systems running commodity IT services not located in an approved campus data center, systems using self-signed certificates for services used by several users, site does not enforce HTTPS, etc.  

ISO ActionRequired Remediation
  • Notice sent to unit's IT contacts (e.g., as a weekly or monthly summary).
  • Delayed network quarantine triggered (effective 720-hrs or 30-days from notification),  but notice indicates that a quarantine could be possible in the event threats evolve.
  • System or application must be patched, updated, or otherwise secured to ensure it is no longer vulnerable to the related attack vector.
  •  Unit's delegate removes quarantine once secured.

 

Examples  
  • Commodity IT services in departmental buildings.
  • Self-signed certificates for high-traffic services.
  • Sites that do not enforce HTTPS
  • TLS certificate without revocation control
  • Lack of Multi-factor authentication integration
  • Lack of network isolation where needed

 

Informational (Priority - 4):

This classification is intended to raise awareness of configurations, services or use cases that could potentially present an unnecessary risk to the unit or to the campus at large.

ISO ActionRequired Remediation
  • No notice sent, but information is presented in vulnerability management program dashboard for unit to consider
  • No action is required, but unit is encouraged options to reduce the exposure risk when resources are available or as systems are being updated.

 

Examples  
  • An inordinate number of network services advertised to the global Internet.
  • Significant changes in a system's usage profile.
  • Vendor support soon to end.
  • Security intelligence or chatter about a service or system being used.