The scanning tool actively probes for system vulnerabilities. It performs a multi-level scan using an extensive database of known security holes to identify common system vulnerabilities. Many of the vulnerabilities are included in the CERT, CIAC and SANS advisories.
The scanning tool produces a detailed security report, often including detailed instructions on how to remediate or mitigate the identified vulnerability.
The tool assigns a vulnerability category and a severity level for each vulnerability detected. Vulnerability categories are:
The vulnerability classification helps to prioritize scan results. A severity level indicates the security risk posed by exploitation of the vulnerability and its degree of difficulty.
Information Security may coordinate and conduct scheduled, non-credentialed monthly scans to reduce the vulnerability of University computers to attacks, denial of service and other security risks from both inside and outside the University. The vulnerability assessments will include selective probes of communication services, operating systems and applications to identify high-risk system weaknesses that could be exploited to gain unauthorized access to UTPA’s network and data. Information gathered will be used for network management, including notifying departments and server administrators of vulnerabilities, determining incorrectly configured systems, validating firewall access requests and gathering network census data.
The scheduled scan process involves five possible steps:
Information Security may conduct unscheduled scans to reduce the vulnerability of University computers to attacks, denial of service and other security risks from both inside and outside the University, or to investigate a security incident.
After a system administrator is notified by Information Security that a scan has identified vulnerabilities identified, corrective action must be taken within the following timelines. The timelines are also recommended for vulnerabilities identified by system administrators.
Within 24 hours
Within 48 hours
After 48 hours
Within 5 days
Within 10 days
After 10 days
At System Administrator’s discretion
The System Administrator will document any high-risk or important vulnerabilities remaining un-remediated past the timelines established in section 4. If it is determined that corrective action cannot or should not be taken, an exception must be approved by the CISO in accordance with the Exceptions Procedure.