Vulnerability Scanning
The IT Security office offers customized vulnerability scanning for departments. Vulnerability scans are designed to identify potential vulnerabilities and security problems with operating systems, application software, and network configurations. A vulnerability scan can target a specific area of concern (example: web server configuration) or be a broad, exhaustive audit of the systems configuration. The vulnerability scan process is designed to assist system administrators in addressing potential security problems.
What to Expect
The IT Security office will schedule a time with you to scan your devices, as well as establish the scope of the scan. After the scan has been completed the security office will prepare a summary report outlining any major security concerns, as well as provide a complete copy of the vulnerability scan reports.
Request a Scan
Vulnerability scans can be requested through the Virginia Tech ServiceNow Catalog. Once submitted, an analyst with the Security Office will contact you to discuss the details of the scan.
Request Vulnerability Scan (ServiceNow)
Vulnerability Scanning Overview
Why do we scan for vulnerabilities?
In order to reduce information security risks, the Virginia Tech IT Security Office (ITSO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. The ITSO may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers. Many of the tools used by the ITSO will also be made available to the IT support community.
Which systems/services/applications may be scanned?
All systems and applications connected to the campus network may be scanned. Systems and applications hosted in other networks using university domain names will also be in scope for assessment.
When will vulnerability assessments be conducted?
It is possible that high priority vulnerabilities will be assessed on a very active schedule (e.g., hourly) given the threat they present. Other lower risk vulnerabilities will be assessed on less frequent cadences (e.g., daily, weekly, monthly) depending on their respective risk profile.
From where will vulnerability scans emanate?
The ITSO employs a wide variety of scanning resources. Some of these exist on campus, while others leverage networks external to campus to ensure the proper visibility can be obtained. The ITSO does disclose the network location of on-campus scanning resources to the IT support community. It is important that the IT support community avoid actively filtering or blacklisting the following resources:
- cornflakes.iso.vt.edu
- specialk.iso.vt.edu
What data is collected and how will it be used?
Vulnerability scanning and other passive detection capabilities will provide an inventory of vulnerabilities and the related criticalities. This data will be treated as Confidential university data. The vulnerability assessment processes will not aim to search the content of personal electronic files on the scanned systems unless they are exposed to the public. In addition, the vulnerability assessment processes should not cause network outages although system and application administrators may see log entries of the activity reflected in their logs.
What Information Security Policy and Standards is this based on?
The ITSO’s minimum security standards form the basis of this program and requires that any system or application in scope be regularly assessed for security vulnerabilities:
Minimum Security Standards for Systems
Virginia Tech Minimum Security Standards (PDF)
Acceptable Use of Information Systems at Virginia Tech
Vulnerability Scanning - Priorities
Critical (Priority - 1):
Vulnerabilities that are remotely exploitable with little effort or sophistication, which could result in compromise of a system or application. Examples of such a vulnerability include systems vulnerable to WannaCry attacks, remote/local code execution attacks, applications vulnerable to attacks that lead to data exfiltration, systems/applications no longer supported by manufacturer/vendor, vulnerable systems used to launch attacks against others, etc.
| ITSO Action | Required Remediation |
|---|---|
|
|
| Examples | ||
|---|---|---|
|
|
|
Important (Priority - 2):
Vulnerabilities that are highly susceptible to exploitation through focused and/or targeted attack. Examples of such a vulnerability include network services that susceptible to brute-force attack, weak or compromised encryption, network services that should generally not be exposed to the global Internet. Application and general security patches must be installed within 90 days of publish.
| ITSO Action | Required Remediation |
|---|---|
|
|
| Examples | ||
|---|---|---|
|
|
|
Moderate (Priority - 3):
Vulnerabilities that are lower risk and may require a high-level of sophistication, but that could increase the attack surface for the university network, expose confidential data or could unnecessarily elevate the overall risk to the campus. Examples include systems running commodity IT services not located in an approved campus data center, systems using self-signed certificates for services used by several users, site does not enforce HTTPS, etc. Application and general security patches must be installed within 90 days of publish.
| ITSO Action | Required Remediation |
|---|---|
|
|
| Examples | ||
|---|---|---|
|
|
|
Informational (Priority - 4):
This classification is intended to raise awareness of configurations, services or use cases that could potentially present an unnecessary risk to the unit or to the campus at large.
| ITSO Action | Required Remediation |
|---|---|
|
|
| Examples | ||
|---|---|---|
|
|
|