As part of a comprehensive information security program, the campus Security Operations Center (SOC) regularly scans the campus IP address space looking for host systems with vulnerabilities. Vulnerabilities are software or configuration defects that allow an attacker to gain control of a system or disrupt its normal operations. These scans are conducted using network-based scanning as well as agent-based scanning from Nessus Agents.
Critical vulnerabilities are generally those that will let an attacker with network access to a computer completely take control of the system by allowing the attacker to run arbitrary code as at elevated privilege. In IT security circles this is referred to as “pwning” a system. The attacker can use it to steal data, disrupt operations, or use the system as a jumping-off/pivot point to attack other systems behind otherwise closed networks. In this way, a critically vulnerable system puts the entire university at risk.
Vulnerabilities rated as high severity may be more difficult to exploit and may give an attacker less control of a system, but they can severely compromise the system, allow data to be stolen or modified, and disrupt normal operations.
When a vulnerable system is detected, the SOC notifies the administrators of the subnetwork to which the vulnerable system is connected. Their role is to identify the vulnerable system, identify the system owner, and ensure that the vulnerability is removed, usually by patching. They have a responsibility to remove network access to systems based on compromise or known vulnerabilities.
In some situations, vulnerable systems can not be patched or updated. In these situations, a risk acceptance may be requested when alternate mitigation or mitigations have been employed, documented, and accepted by the hosting department or CISO as defined by system policy (IS-3).
If an administrator of a system has determined that a reported vulnerability is the result of a "false-positive" test then they should inform the SOC about it by submitting a Vulnerability Risk Acceptance request. We consider a false-positive is the detection of vulnerability by the scanners when in fact no vulnerability exists. The SOC will routinely investigate false-positives recorded by the Vulnerability Risk Acceptance program and determine if there are actions that the SOC can take to reduce or eliminate them.
A risk acceptance for a critical or high vulnerability on a system may exist for no longer than 12 months, at which point it may be extended upon confirmation from the hosting department that the same conditions exist as to when the risk acceptance entry was created. Note that these risk acceptance entries do not prevent the system from being scanned by the vulnerability scanner on a regular basis; the risk acceptance entry creates an exception in the reporting of a specific vulnerability on a specific system during the acceptance time period. There are some risk acceptances that can be considered to be persistent. Examples of this are when the only mitigation for the vulnerability is a network-based ACL and that ACL exists, or when the vulnerability is a false positive caused by the test's reduced accuracy when run without local device credentials. All risk acceptances that are marked as persistent will expire at a mid-August date. The SOC will provide a list of the expiring persistent risk acceptances to their respective Network Contacts four weeks before expiration and will provide a simple process to extend those risk acceptances in bulk before the expiration date.