Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

VISC Vulnerability Management Scanning Guideline

advertisement 
VISC Vulnerability Management
Scanning Guideline
Vulnerability Management Scanning Guideline
REVISION CONTROL
Document Title:
VISC Vulnerability Management Scanning Guideline
Author:
Click here to enter author.
File Reference:
VISC Vulnerability Management Scanning Guidelines DRAFT. docx
Revision History
Revision Date
Revised By
Summary of Revisions
Section(s) Revised
10/07/11
Danita Leese
Copy and paste to new template
All
10/17/11
Kerry Boyer
Added Web Application Scanning
6
Review / Approval History
Review Date
Reviewed By
Action (Reviewed, Recommended or Approved)
02/07/2012
VISC Governance
Approved
Last Revised: 10/07/11
Page ii
Vulnerability Management Scanning Guideline
Table of Contents
Page
1.0
OVERVIEW ....................................................................................................................................................... 4
2.0
FOCUS OF VULNERABILITY MANAGEMENT SCANNING GUIDELINES .................................................... 4
3.0
REQUIRED ELEMENTS................................................................................................................................... 4
4.0
VULNERABILITY ASSESSMENT PROFILES ................................................................................................. 5
5.0
VULNERABILITY ASSESSMENT AND REMEDIATION AGREEMENT ......................................................... 5
6.0
5.1
Purpose ................................................................................................................................................... 5
5.2
Scope ...................................................................................................................................................... 5
5.3
Authorization to Access Resources ........................................................................................................ 6
5.3.1
Service Degradation and/or Interruption .................................................................................... 6
5.3.2
Campus Point of Contact During Scanning Period .................................................................... 6
5.3.3
VISC Point of Contact During Scanning Period ......................................................................... 6
5.3.4
Assessment Period .................................................................................................................... 6
5.3.5
Reporting .................................................................................................................................... 7
WEB APPLICATION SCANNING ..................................................................................................................... 7
6.1
Campus completion of the web application online request form ............................................................ 7
6.2
VISC production of the executive and technical report for each application scanned ............................ 8
Time line for remediation......................................................................................................................... 8
Time line for campus review of scans ..................................................................................................... 8
7.0
AGREEMENT TO REMEDIATE FINDINGS ..................................................................................................... 8
8.0
FAILURE TO REMEDIATE ............................................................................................................................... 9
9.0
PAYMENT CARD INDUSTRY (PCI) VULNERABILITY SCANNING ............................................................... 9
10.0 STEPS TO PERFORM VULNERABILITY SCANNING AGREEMENT .......................................................... 10
Primary Contact: ................................................................................................................................... 10
Secondary Contact: ............................................................................................................................... 10
Last Revised: 10/07/11
Page iii
Vulnerability Management Scanning Guideline
1.0
OVERVIEW
The Virtual Information Security Center (VISC) Vulnerability Management Scanning Guideline is an extension
to the CSU Information Security Policies and Standards and is intended to define a procedure of tools and
services to audit, and to help participating campuses in the identification and remediation of security
vulnerabilities. The program was created by and is maintained and operated for VISC participating campuses.
In particular, the program provides for the following:
•
Consultation regarding the benefits of the Vulnerability Management Guidelines
•
Setting up the managed tools recommended by VISC
•
Initial audit of a Campus’s network infrastructure through review of documents, configurations, network
diagrams and interviews
•
In-depth network-based assessment of workstations, servers, devices and the overall security of the
network infrastructure
•
Coordination, collaboration and general technical consulting before, during and after the assessment
•
Follow-up documentation/reports and additional consulting as needed after the assessment
The intent of vulnerability scanning being performed by the VISC is to independently identify technical
weaknesses in systems on the campus networks and prioritize remediation based on the importance of
affected systems. Such assessments will allow campus systems to be properly updated, patched, and systems
containing Protected Data can be properly configured to leverage access and control against security
intrusions.
2.0
FOCUS OF VULNERABILITY MANAGEMENT SCANNING GUIDELINES
The focus of the Vulnerability Management Scanning Guideline is campus-wide, however, special attention
and prioritization will be given to the following:
1. Campuses that process University data identified and classified as “Level 1 or Level 2” data.
2. Campuses requesting additional assistance with auditing/assessing their network infrastructure or
specific devices for vulnerabilities.
3.0
REQUIRED ELEMENTS
The required elements for Vulnerability Management Scanning Guidelines include, but are not limited to, the
following:
1. A documented request by and an agreement with the Campus for a network-based or web application
Vulnerability Assessment. This will include identification of which assessment profiles the Campus
requires.
2. Timely and bi-directional coordination, collaboration and communication between VISC and the
Campus receiving the assessment.
Last Revised: 00/00/00
Page 4 of 10
Vulnerability Management Scanning Guideline
3. Identification of and authorization to assess the range of IP addresses assigned to or “owned” by the
Campus.
4. Appropriate network and/or physical access to the Campus networks and resources, as agreed to by
both parties.
5. Sufficient notification by VISC as to when the assessment will take place, what tests will be performed
(e.g. Network or Web Application Scanning) and what source IP address range will be used in the
execution of assessment activities.
6. Appropriate documentation of findings, results and recommendations so as to facilitate the remediation
of vulnerabilities by the Campus themselves or in conjunction with other resources (e.g.
Telecommunications, Network Services, Systems, etc.), if required.
4.0
VULNERABILITY ASSESSMENT PROFILES
The following templates describe common types of security assessments that may be performed. Custom
combinations of profiles can be created as needed based upon Campus and/or VISC requests and
recommendations.
Profile 1: Network Scanning Vulnerability Assessment
Perform a network-based Vulnerability Assessment of the Campus’s network (a subset or all of the following
may be performed based upon the Campus’s needs and/or the recommendation of VISC) using the
recommended VISC vulnerability scanning tools.
Profile 2: Web Application Vulnerability Assessment
Perform a Web Application Vulnerability Assessment of the Campus’s web applications (a subset or all of the
following may be performed based upon the Campus’s needs and/or the recommendation of VISC) using the
recommended VISC vulnerability scanning tools.
5.0
VULNERABILITY ASSESSMENT AND REMEDIATION AGREEMENT
5.1
Purpose
The purpose of this document is to set forth an agreement regarding security scanning activities offered by the
VISC to the Campus. In exchange for these scanning services, the campus agrees to engage in activities for
the remediation of Critical and High Risk findings as defined in Section 7, Agreement to Remediate Findings.
Assessments may be conducted to:
5.2
•
Ensure integrity, confidentiality and availability of information and resources
•
Assess the campus’s network devices, systems and web applications for vulnerabilities
Scope
This Agreement covers all computer and network devices owned or operated by the VISC campus. This
Agreement also covers any computer, network and mobile devices that are present on the campus’s premises,
Last Revised: 00/00/00
Page 5 of 10
Vulnerability Management Scanning Guideline
but which may not be owned or operated by the campus. The VISC will not perform Denial of Service (DoS)
activities and due care will be taken not to create a DoS condition on the campus network. However, VISC
makes no assurance that a networked device will not be adversely affected by assessment activities that
results in a loss of connectivity and/or the need for a system reboot.
5.3
Authorization to Access Resources
When requested, the campus consent to access resources shall be provided to VISC staff for the purpose of
performing an assessment. The campus hereby provides its consent to allow VISC to access its networks,
firewalls and other devices as designated in this Agreement to the extent necessary to allow the VISC to
perform the assessment and scanning activities authorized. The campus shall provide protocols, addressing
information, device configurations, policies and network connections sufficient for VISC to execute the tools
required to perform network scanning and other assessment tasks.
This access may include:
•
User level and/or system level access to any computing or network device.
•
Access to information (electronic, hardcopies of documentation, etc.) that may be produced,
transmitted or stored on campus equipment or premises.
•
Access to work areas (labs, offices, cubicles, storage areas, etc.).
•
Access to interactively monitor and log traffic on campus networks as required and appropriate.
5.3.1
Service Degradation and/or Interruption
The network scanning or other assessment activities may affect network performance and/or availability.
The campus releases VISC of any and all liability for damages that may arise from network availability
restrictions caused by the network scanning or other assessment activities, unless such damages are the
result of VISC’s gross negligence or intentional misconduct.
5.3.2
Campus Point of Contact During Scanning Period
The campus agrees to identify a person to be available if the VISC Assessment Team has questions
regarding data discovered or requires assistance.
5.3.3
VISC Point of Contact During Scanning Period
VISC agrees to identify the personnel performing and involved in the assessment activities in the event the
campus needs to contact them. This will include e-mail and phone numbers of the personnel performing
the assessment.
5.3.4
Assessment Period
The campus and VISC Assessment Team agree to identify the allowable dates and times for the scans
and testing to take place (during normal Monday - Friday business hours), as well as what IP range the
scans will originate from if the scan originates from a remote location on campus (see end of document).
Last Revised: 00/00/00
Page 6 of 10
Vulnerability Management Scanning Guideline
5.3.5
Reporting
VISC agrees to create a final Vulnerability Assessment findings report and deliver it to the campus within
seven business days unless otherwise noted. This report shall describe the findings and recommendations
for remediation by Campus personnel. VISC personnel will be available for assistance with explanations of
the findings and recommendations.
Note: VISC will inform the campus of any Urgent or Critical vulnerabilities found during the assessment
within 24 hours.
6.0
WEB APPLICATION SCANNING
In order to maintain the integrity and security of web applications at California State University Campuses, the
VISC uses the Acunetix web scan application. This tool can scan your application for a multitude of potential
breach points such as SQL Injection, cross site scripting, web security, directory traversal, Ajax application
security, and Google hacking to name a few.
Use the request form for all scan requests as the tool can only scan one application at a time and must be
coordinated with the campus web team. Once the scan request has been received, a member from the VISC
Scan Team will contact you to schedule the scan. The VISC Scan Team replies to scan requests with in two
business days.
The Acunetix tool is very aggressive and performs a scan similar to an actual attack. It is imperative that the
system you are requesting be scanned is a non-production system. The VISC Scan Team recommends that
the application run on a VM as this allows for a snap shot of the configuration to be used to restore the system
and application after a scan. If a VM is not available, a recent back up within 24 hours of the scan is
recommended.
If the application requires user accounts to be accessed, the VISC Scan Team will need to have account
created in order for the application to access the appropriate areas. Temporary accounts will need to be
created in both user and power user roles so that the application can test appropriate security settings.
Appropriate firewall exceptions must be put in place in order to allow the Acunetix scanner to access the
requested web application. These exceptions should be coordinated with the campus networking team and
operating system team if there are host based rules deployed. In most cases, this is port 80 and 443 of the
appropriate VISC scanner.
6.1
Campus completion of the web application online request form
•
•
•
•
•
•
•
Identify the campus being scanned.
Identify staff members to receive the vulnerability report.
Identify the url of the application.
Verify there is a current backup on file.
Provide temporary user and or power user level accounts.
Verify that the application is a test or non-production application.
Confirm date and time for scan windows.
Last Revised: 00/00/00
Page 7 of 10
Vulnerability Management Scanning Guideline
6.2
VISC production of the executive and technical report for each application scanned
Time line for remediation
The VISC Scan Team uses the Open Web Application Security Project (OWASP) Top 10 Application
Security Risks for mitigation and remediation time lines. The following link provides more information
on the OWASP standard.
https://www.owasp.org/index.php/Top_10_2010-Main
Time line for campus review of scans
Campus must review the scans within three business days and provide feedback. Note: If false
positives are found, VISC requires in writing proof of the justified false positive(s).
7.0
AGREEMENT TO REMEDIATE FINDINGS
All remediation activities are the responsibility of the campus, and remediation shall be performed by the
campus or the campus’s designee. The Campus has engaged VISC to perform the assessment and agrees to
complete the following remediation activities consistent with the campus Change Management process. The
following are VISC suggested corrective timeframes based on criticality but are not meant to supersede current
campus Change Management processes. The Campus has the option to accept the risk imposed by this
vulnerability and refrain from fixing it or implementing a mitigating control based on Change Management
processes or operational priorities.
1. The VISC recommends that all Urgent Severity Vulnerability findings should be addressed within 2
business days or remediated consistent with the current campus Change Management process.
2. The VISC recommends that all Critical Severity Vulnerability findings should be addressed within 5
business days or remediated consistent with the current campus Change Management process.
3. The VISC recommends that all Serious Severity Vulnerability findings should be addressed within
20 business days or remediated consistent with the current campus Change Management process.
4. The VISC recommends that all Medium & Low Severity Vulnerability findings should be addressed
within 120 business days or remediated consistent with the current campus Change Management
process. The Campus has the option to accept the risk imposed by this vulnerability and refrain from
fixing it or implementing a mitigating control.
An Urgent Severity Vulnerability finding is one that imposes serious and immediate risk upon the Campus
and/or University and exists on a device that contains personal data such as social security numbers, or is
associated with an “essential” device (e.g. a domain controller or mail server) infected with spyware or
malware.
Note: that the existence of personal data on a machine that has a High vulnerability is what elevates the
vulnerability to urgent, not simply the existence of personal data on a device.
1. Any vulnerability will be deemed Urgent if it fails a compliance test (such as HIPPA or PCI).
2. Any vulnerability that could lead to a loss of personal information (such as social security number
stored on a particular server).
Last Revised: 00/00/00
Page 8 of 10
Vulnerability Management Scanning Guideline
3. Services that are accessible from the Internet that provide open access for unauthorized users (e.g. an
open mail relay to the internet, a telnet server with a weak or no password on a default account, etc.).
A Critical Severity Vulnerability finding is one that imposes serious but not immediate risk upon the
Campus and/or University. One such example is a workstation infected with a virus or spyware, or a
mis-configured firewall allowing inappropriate access to sensitive data that has other security controls
that prevented it from being accessed.
A Serious Severity Vulnerability finding is one that imposes moderate risk upon the Campus and/or
University, such as illegally downloaded copyrighted material found on a server, or unlicensed
software installed on a server.
A Medium & Low Severity Vulnerability finding is one that imposes some risk upon the Campus
and/or University, but is not significant enough to require immediate attention and can be scheduled
for future upgrades or maintenance windows. One such example would be a computer running
Windows NT 4.0 without a host-based firewall installed (as Windows 2003, XP and Vista support
natively).
8.0
FAILURE TO REMEDIATE
Urgent, Critical and Serious Severity Vulnerabilities findings represent significant exposure to the Campus and
University, and require immediate attention.
Failure to take the remedial action identified in this agreement could substantially increase risk and exposure
to the community at large. Failure to remediate in a timely manner may also expose the Campus’s
environment to compromise across those systems identified in the Assessment.
9.0
PAYMENT CARD INDUSTRY (PCI) VULNERABILITY SCANNING
PCI Vulnerability scanning is required for all PCI merchants. Perform internal and external network vulnerability
scans at least quarterly and after any significant change in the network. After passing a scan for initial PCI
DSS compliance, an entity must, in subsequent years, pass four consecutive quarterly scans as a requirement
for compliance.
Per PCI, an Approved Scanning Vendor (ASV) must perform quarterly external scans. Qualys is an ASV that
will let us run the scans and then submit them for attestation. Qualys will need at least three (3) business days
lead-time to review and approve any reports submitted for attestation.
For VISC to provide PCI vulnerability scanning, each request must follow these guidelines:

A campus must define for VISC the devices that are in-scope.

A campus must send VISC the list of in-scope IP addresses to be scanned.

A campus must indicate if PCI systems are segmented.

A campus must provide date and times within the quarter (not more than three weeks before the end
of the quarter).
VISC will perform the quarterly scans of the campus devices that are in scope.
Last Revised: 00/00/00
Page 9 of 10
Vulnerability Management Scanning Guideline
VISC will produce executive and technical reports for each PCI scan.

VISC will review the reports within three business days

Campus must review the scans and provide feedback. Note: If false positives are found, VISC
requires, in writing, proof of the justified false positive(s). This information will help the attestation
process.

When a campus agrees to either passed PCI reports or failed PCI reports with exceptions noted, VISC
will submit the external PCI reports to Qualys for attestation. Note: Be aware that Qualys will not take
any failed reports unless all of the failed vulnerabilities can be justified.
10.0
STEPS TO PERFORM VULNERABILITY SCANNING AGREEMENT
Contact the Lead for the specific vulnerability scanning assessment that is required:
For Network-based vulnerability scanning assessments, please contact the following:
Primary Contact:
Leigh Lopez
Email: leigh.lopez@csun.edu
Phone: (818) 677-3908
Secondary Contact:
Adam Cook
Email: adam.cook@csus.edu
Phone: (916) 278-2266
If neither responds within 48 Hours, please contact: Kerry Boyer, visc@calstate.edu.
For Web
Application
vulnerability scanning
assessments, please use the following
URL:
http://www.csus.edu/irt/is/services/webapplicationscan.html or contact the following:
Primary Contact:
Adam Cook
Email: adam.cook@csus.edu
Phone: (916) 278-2266
Secondary Contact:
Leigh Lopez
Email: leigh.lopez@csun.edu
Phone: (818) 677-3908
If neither responds within three business days, please contact: Kerry Boyer, visc@calstate.edu.
The lead or secondary contact will respond in a timely manner.
Last Revised: 00/00/00
Page 10 of 10
Related documents
ST. JOHN`S UNIVERSITY CAREER CENTER
ST. JOHN`S UNIVERSITY CAREER CENTER
First Year Experience Powerpoint
First Year Experience Powerpoint
Conducting a Risk & Vulnerability Assessment
Conducting a Risk & Vulnerability Assessment
Media Technician - Bakersfield College
Media Technician - Bakersfield College
Managing Testing Across Multiple Campuses, Miami Dade
Managing Testing Across Multiple Campuses, Miami Dade
Institutional Readiness Criteria
Institutional Readiness Criteria
MUNICIPAL TEST PARAMETERS FORM
MUNICIPAL TEST PARAMETERS FORM
Download
advertisement