myU OneStop


What's Inside

Resources

Critical Server Scan Process

The University scans critical University servers using a commercial network-based software product (Qualys scanner). The goal of the scans is to reduce the vulnerability of University computers and the network to hacking, denial of service, and other security risks from both inside and outside the University. To make best use of scarce resources, higher risks are given priority, but other important servers are also scanned.

The considerations and criteria used to assist in identifying critical servers includes:

  • Number of users (i.e., large number of users)
  • Stores critical information (e.g., grades, social security number)
  • High Availability/ maximum uptime (e.g., 7 x 24 availability/ little downtime tolerated)
  • Financial impact due to downtime (i.e., thousands of dollars)
  • Impacts reputation of the University due to downtime
  • Difficult to resume operation if data is lost or corrupted (e.g., many coordination and synchronization issues)
  • Backup and retention needs (e.g., daily backup with retention greater than 1 yr.)

Examples of critical servers:

  • Enterprise level services that are used by all campuses or significant to one or more campuses
  • Servers storing significant amount of legally protected data
  • Availability is critical or important
  • Designated credit card processing servers
  • Important collegiate and department servers
  • Servers on disaster recovery plans

For more information on identifying critical servers, see http://www.umn.edu ssLINK/OIT__12594_REGION1.

The University uses the network-based Qualys scanning tool.  The scanner actively probes for computer vulnerabilities.   The tool does a multi-level scan using a large database of known security holes to identify common system vulnerabilities, many of which are caused by oversights such as misconfiguration or missing patches. Many of the vulnerabilities are also included in the CERT, CIAC, and SANS security organization advisories.

The tool provides a detailed security report, often including detailed instructions on how to fix or reduce the vulnerability.  The vulnerabilities are categorized by risk.

Qualys Scan Tool

The Qualys scan tool identifies and classifies the vulnerability as confirmed, potential and information.  Within the category, there are 5 levels for vulnerabilities  The High-risk vulnerabilities (confirmed 4 & 5) must have the risk mitigated (i.e., patching/configuration, other compensating control or documented as a false positive).  In addition, it is recommended that other vulnerabilities should be reviewed and risk assessed, especially the potential 4 & 5.

OIT Security and Assurance provides oversight for the scan process and reports summary results to University administration on a quarterly basis.

The Qualys scan process uses a self scan and reporting process:

  • Schedule Scan-- Tech support staff schedule at least monthly vulnerability scans for critical servers in their area.
  • Review Results-- Tech support staff review the scan results.  If high-risk vulnerabilities are found, tech support staff need to fix the vulnerability or document why the vulnerability cannot be fixed or does not pertain.  OIT Security and Assurance is responsible for reviewing and assessing all vulnerabilities that cannot be fixed or do not pertain.
  • Re-scan if necessary-- Tech support staff can schedule re-scans to determine if the vulnerabilities have been fixed.
  • Reporting-- University-wide reporting will be cut off at the end of calendar quarters (9/30, 12/31, 3/31, 6/30).  Tech support staff should be sure to complete scans in time to allow time to address vulnerabilities.

To request access to the Qualys scanner, send e-mail to oit.security@umn.edu.

OIT Security coordinates the external vulnerability scan for servers involved in credit card processing that must meet the Payment Card Industry (PCI) Scanning (PDF) requirement.