Vulnerability Scanning Procedures and Guidelines
To provide a common set of methodologies and requirements to standardize vulnerability scans on campus systems, applications, and networking infrastructure.
Vulnerability scans provide critical information to the Information Security Office, and management as part of the risk assessment process for campus systems. There are three types of vulnerability scans in use at Sacramento State.
Vulnerability scans also provide a mechanism for system administrators to assess the security posture of the servers they manage, by probing the system for open ports, services, applications, and operating system patch levels. Open ports are queried for information regarding what services are listening, and each service is compared against a database of known vulnerabilities or issues. System Administrators can utilize vulnerability scan reports to assess the security posture of their system, and outline remediation tasks required to bring their system into compliance.
A discovery scan involves scanning the campus network for connected systems and identifying services these systems provide. Discovery scans are lightweight scans that do not analyze discovered services for vulnerabilities or exploits. The Information Security Office performs periodic discovery scans of all server subnets on campus as well as on demand scans.
A vulnerability scan examines information provided by discovery scans, and performs a more in-depth scan against a designated system or network. The campus scanner then compares these results against an industry-vetted database of vulnerabilities and exploits. The Vulnerability scan then provides a report to the Information Security Office. The Information Security Office may provide vulnerability reports to System Administrators and System Owners upon written request.
The Information Security Office performs monthly security baseline scans against all systems to establish a security baseline for campus. These scans inspect identified services for potential vulnerabilities using only industry tested, low impact, and non-intrusive methods.
Intrusive Scans and Penetration Testing
Intrusive scans and penetration testing are scans that actively attempt to verify vulnerabilities discovered on a system. The Information Security Office performs intrusive scans using the campus vulnerability scanner. These test perform penetration tests, using a variety of security tools. The Information Security Office will coordinate in writing with support personnel prior to running either of these scans. The Information Security Office will provide written reports to the appropriate individuals upon the completion of these scans.
Authorized Vulnerability Scanners
The Information Security Office provides vulnerability scanning as a service to the campus community. The Information Security Office can provide a detailed report of the monthly scans of the systems.