Vulnerability Management
Contents
Overview
Vulnerability management encompasses the efforts involved to continually identify, analyze, and eliminate vulnerabilities that exist within an organization’s network. Skilled attackers can exploit vulnerabilities in order to perform malicious activities. Prompt action taken on discovered vulnerabilities is essential to prevent such attacks from being successful.
This KB article will explain the various components that are implemented by UTS to support vulnerability management and what’s expected from application/system administrators and owners.
Roles and Responsibilities
UTS Information Security team:
- The UTS Information Security team is the owner of the vulnerability management program and oversees its implementation. The Information Security team will initiate inquiries into discovered vulnerabilities that pose sufficient risk to University systems. Additionally, the Information Security team will monitor and act upon vulnerability advisories received from trusted partners, government agencies, and other reliable sources. In accordance with University policy, the Information Security team is authorized to disconnect or quarantine any vulnerable system from the University network until the identified vulnerability is properly mitigated.
Application/System Owners:
- The application/system owner is responsible for the technology asset that is being scanned by the vulnerability management program. It is the responsibility of the application/system owner to decide what action will be taken once a vulnerability has been identified and evaluated. If an application/system owner wants to accept the risk associated with a vulnerability, it is their responsibility to work with the Information Security team to develop a risk acceptance plan.
Application/System Administrators:
- Application/System administrators perform analysis on identified vulnerabilities and implement corrective actions for technology assets they administer. In accordance with University policy, it is the responsibility of the application/system administrator to ensure the latest security patches are installed on a timely basis. For servers that are managed by multiple application/system administrators, the Information Security team will make a best-effort attempt to notify the appropriate administrators about notable vulnerabilities based on the server layer (e.g. hardware, operating system, application, etc.) in which the vulnerabilities were discovered. Additionally, the application/system administrator will monitor and act upon vulnerability advisories received from vendors. Information concerning a vendor security advisory will be shared with the Information Security team.
Vulnerability Scan Types
UTS offers the following types of vulnerability scans:
System scan:
- A system scan will scan a target system for vulnerabilities that exist on a system due to vulnerable software versions that are installed. It does so by comparing the output of various administrative commands against vulnerability signatures created by the scan vendor. If a condition in the vulnerability signature is met, then a vulnerability will be reported. These scans are passive in nature as the scanner does not try to actively exploit vulnerabilities.
Web application scan:
- A web application scan will scan a target system that is hosting a web service for vulnerabilities. In addition to comparing reported software versions against vulnerability signatures, the web application scanner will also attempt to identify vulnerabilities by simulating common web application attacks against the target system. Included in these checks are the OWASP Top Ten application security risks and SANS Top 25 software errors. If the scanner is able to demonstrate a successful proof-of-concept attack, then a vulnerability will be reported. These scans are active in nature as they try to exploit vulnerabilities.
Expectations and Standards
New Server Builds
New servers will be included into the vulnerability management program as part of the server commissioning process. New servers will receive initial vulnerability scans as applicable. Any High or Critical vulnerabilities that are reported in an initial scan must be addressed before a new server can be moved into production.
Scan Scheduling and Frequency
Vulnerability scans will be scheduled to run outside of core business hours so as to not negatively affect business operations. Scans will be scheduled to run once a month unless a greater frequency is requested. Application/System owners will receive a system-generated email when a scan has completed.
The Information Security team reserves the right to run vulnerability scans on an ad-hoc basis during core business hours if needed.
Scan and Remediation Workflow
The following workflow will be adhered to once a scan has been configured:
- 1) Scan: A scheduled vulnerability scan will run and produce a report
- 2) Identify/Analyze: The Information Security team will triage and perform an initial assessment on notable vulnerabilities reported
- Application/system administrators will also review vulnerability scan reports
- A UTS ticket will be created with the application/system administrator as the ticket contact
- The Information Security team may engage a subject-matter expert and/or the Security Advisory Group to better assess the vulnerability
- 3) Determine Action: The Information Security team will work with application/system administrators and owners to determine a plan of action:
- Remediate: A vendor-supplied patch will be installed to prevent exploitation of the vulnerability
- Mitigate: A vendor-recommended workaround will be implemented to prevent exploitation of the vulnerability until it can be remediated with a patch
- Accept: No action will be taken to prevent exploitation of the vulnerability; it will be documented that the application/system owner accepts the associated risk
- Risks that are accepted will be documented in a UTS ticket and added to the UTS Risk Register
- 4) Implement Corrective Action: Remediating or mitigating actions will be implemented within the agreed time frame
- 5) Rescan: Another vulnerability scan will be performed to ensure discovered vulnerabilities have been successfully addressed
- The respective UTS ticket will be resolved after a successful rescan
Timeframes for Corrective Action
Implementation of corrective action begins once a decision is made to either mitigate a vulnerability or implement a workaround. Vulnerable systems that are subject to compliance standards, such as PCI-DSS, are subject to the remediation timeframes specified in the relevant standard (e.g. 30 days to remediate a critical vulnerability). For systems that do not fall under a compliance standard, the Information Security team will work with application/system owners to schedule a date for the implementation of remediating actions that take best practices, risk level, current trends, and business impact into consideration. In severe cases, disconnection of the affected system from the network will be necessary until the vulnerability is sufficiently remediated or mitigated.
Vulnerability Scoring
The Information Security team will adhere to NIST's Common Vulnerability Scoring System (CVSS) version 3.0 when evaluating and prioritizing reported vulnerabilities.
Additional Considerations
Please contact [email protected] with any additional questions or concerns about the vulnerability management process.
References
Oakland University Policy 850 Network Infrastructure Policy: https://www.oakland.edu/policies/information-technology/850/
Oakland University Policy 860 Data Management and Information Security: https://www.oakland.edu/policies/information-technology/860/
Oakland University Policy 880 System Administration Responsibilities: https://www.oakland.edu/policies/information-technology/880/
UTS Security Baselines: https://kb.oakland.edu/uts/Security_Baselines
UTS Risk Classification: https://kb.oakland.edu/uts/Security_Risk_Classification
NIST National Vulnerability Database: https://nvd.nist.gov/vuln-metrics
OWASP Top Ten: https://owasp.org/www-project-top-ten/
SANS Top 25 Software Errors: https://www.sans.org/top25-software-errors