Vulnerability management

Overview

In IT security, vulnerabilities are the weaknesses exist in a system that renders it susceptible to attacks, causing security threats to an organization. The system can be any application, any server running a particular server OS version, any desktop running a desktop OS version, or any network appliance. Identifying these vulnerabilities at early stage enables system administrators to apply patches or fixes to protect the systems from any possible intrusions targeted at these weaknesses.

A systematic Vulnerability Management is therefore crucial in computer and network security protection and risk mitigation. Following security best practices, the University will conduct a series of Vulnerability Management exercises starting from 22 March 2016, with the help of market proven vulnerability scanner(s).

Vulnerability management cycle

A vulnerability management exercise will be conducted against an identified network range in a continuous cycle which includes the following activities: assets discovery, vulnerability identification, vulnerability prioritization, vulnerability remediation and vulnerability monitoring. The cycle is performed on a round robin basis.

Assets discovery and vulnerability identification

The vulnerability scanner has the ability to discover systems within a targeted network range, such as applications, databases and file servers. The scanner also consists of a set of program logics which verifies the presence of known vulnerabilities in the targeted systems, corresponding to the CVE (MITRE Corporation's Common Vulnerabilities and Exposures). CVE is a dictionary of publicly known information security vulnerabilities and exposures. To ensure the accuracy and completeness of scan results, the scanner will be updated continuously so that it could scan for the latest known vulnerabilities in the CVE.

During a scan, the scanner discovers systems in the targeted network range and then identifies the known vulnerabilities in the discovered systems.

Vulnerability prioritization

The identified vulnerabilities are prioritized according to their exploitability, severity and then scored them using MITRE's Common Vulnerabilities Scoring System (CVSS).

The Information Security Unit (ISU) will then summarize the results into reports and deliver them to the system owners/administrators or the desktop users of the corresponding systems or desktop for their actions. To view the complete result of a vulnerability scan, system administrators can also request to visit the management interface of vulnerability scanners.

Vulnerability remediation

When system administrators or desktop users are given the vulnerabilities status of their systems, they are recommended to work with vendors and/or system owners to confirm the vulnerabilities, the urgency and value of mitigation.

To protect themselves and the University, system administrators or desktop users shall remediate the vulnerabilities or mitigate the vulnerability by other controls, so that the risk is diminished to an acceptable level. In considering whether a known risk is acceptable, the system administrator or desktop user is advised to explain and discuss with system owners and ISU.

Remediation steps are available in the report or at the management interface of vulnerability scanners.

Vulnerabilities monitoring

To help system administrators to identify any new vulnerabilities and to monitor the remediation status, ISU will conduct vulnerability scan on round robin basis and will generate trend reports regularly.

Frequently asked questions

1. Will there be any service impact to the server and network? Will this utilize network and server resources?

The vulnerability scanner used are market proven. Non-intrusive approach will be adopted that does not interrupt servers' services. When scanning is performed over the network, unpreventably, minimal network and/or server resources will be consumed. To further minimize the resource utilization, the scanner is configured to scan limited number of servers and perform limited number of processes on each server at a time.

2. What will be scanned?

The scanner identifies the external weaknesses of the systems. It will first discover all online systems, including desktops and servers, by sending network requests and examining the response of the target systems. The scanner will then look up the opened services from which known vulnerabilities in those online systems will be identified.

3. Could internal weakness be scanned?

Yes but only with consent from system owners. If the system owners need to obtain accurate vulnerability information about their systems and installed software, including configuration issues, they shall request for an authenticated scan. For servers which have been block from network access for being intruded or infected, an authenticated scan is mandated before resuming services.

4. What will not be scanned?

All types of vulnerability scanning DO NOT involve any user data. In other words, all your data in databases, emails, documents are left untouched.

5. When will the scan be conducted?

The scan will be conducted during office hours.

6. Will the performance of targeted systems be affected during a scan?

No. The scanner is tuned so that only a small number of scan processes will be targeted at each system.

7. Is it a must to remediate all identified vulnerabilities?

All vulnerabilities with "Critical" or "HIGH" level must be remediated. To safeguard your systems and the other systems in University, it is highly recommended to remediate all identified vulnerabilities with best effort. System owners/administrators or desktop users shall refer to the vulnerability reports to prioritize and plan a remediation.

8. Are there assistances for remediating the vulnerabilities?

Central IT will be available for providing assistance and advises on a network and operating systems level problem. However, computer systems are much more than network and operating systems. The most valuable part is the application which is programmed with business logics.

When planning a server remediation, system owners/administrators shall also work with corresponding developers and vendors, so as to confirm the identified vulnerabilities are applicable to the systems and manage accordingly.

9. How frequent is the scan?

A scan is performed on round robin basis. A full scan of the campus network and vulnerability trend analysis is performed regularly, at least once every three months (or more frequently if situation allow).

10. Who can perform vulnerability scan?

With reference to the "Vulnerability Management Standard" of the University, the ISU of the OCIO and the CSC are authorized to conduct network vulnerability scanning.

The University authorized the Information Security Unit (ISU) within the Office of Chief Information Officer (OCIO) and the Computer Service Centre (CSC) to conduct "network vulnerability scanning" on systems connected to the University's networks to identify vulnerabilities.

With reference the "Network and Platform Security Standard" of the University, the ISU of the OCIO and are CSC are authorized by Information Strategy and Governance Committee to perform vulnerability scanning (which is an element in security assessment) in the University's IT environment:

ISU and CSC are authorized to conduct security assessment on any IT components on the University's network to ensure that these components do not impair the security level of the University's IT environment.

Network scanning and port scanning, is also governed by the "Policy on Use of IT Services & Facilities - (2) Campus IT Network Regulations":

9. Without prior approval from Central IT, users must not perform network scanning or port scanning on the campus network.

However, system owners are allowed to conduct host scanning and application scanning on their systems.

11. How to distinguish a legitimate scan and an offensive scan?

The vulnerability scanners of ISU are assigned with a static IP addresses:

144.214.191.25
144.214.191.26
144.214.9.100
144.214.9.101

Any scan from other IP addresses is considered as offensive, unless it is authorized with prior approval.

12. Can I request a vulnerability scan?

Owners or system administrators are welcome to raise a request to the ISU for conducting a tailored vulnerability scan of the environment. The ISU will handle the requests subject to available resources.

13. Who can access the vulnerability scan result?

Management of the University, authorized personnel in Central IT and system owners receiving the scan summaries and/or results. As vulnerabilities are considered as threats, the scan result shall not be shared with un-authorized parties.

Contact Us

Should you have any enquiries regarding Vulnerability Management, please feel free to contact us at infosec@cityu.edu.hk.