Network Vulnerability Assessment

The practice of information assurance in a university computing environment requires a well-established patch management system, balanced with a vulnerability assessment process to effectively protect institutional resources. This presentation will introduce a model that has proven successful at our institution.

Indiana University is comprised of eight campuses with approximately 60,000 system-wide networked devices. We absolutely subscribe the view that organizations should be scanning their systems for vulnerabilities just as the potential intruders do. We established a relationship with Internet Security Services (ISS) many years ago, and purchased a license to use their Internet Scanner on our campuses. However, we needed to make this scanner available to technicians, while maintaining some level of control (for licensing and in order to maintain an understanding of the overall security situation at the university). We also wanted to make it easy to implement mandatory periodic or ad hoc scanning. So, we implemented a Web-based security vulnerability assessment application that provides individual technicians the ability to perform vulnerability scans of their systems, either by request or periodically and automatically.

In 2001, five California community colleges and state universities began collaborating to address mutual security needs through a Title V grant. These institutions first came together as members of a national, 35 college consortium called Advanced Networking for Minority Serving Institutions (AN-MSI). Realizing that we were grappling with a common set of IT security problems, we joined together to develop solutions. This effort was led by William Aguilar, vice president of Information Resources and Technology at California State University, San Bernardino, with strong support from Michael Berman, vice president for Instructional and Information Technology at California State Polytechnic University at Pomona; Peter Quan, vice president for Information Technology Services from California State University, Los Angeles; Jerry Nogy, vice president for Information and Educational Technology at Mt. San Antonio College; and Ramiro Sanchez, executive vice president for Student Learning at Oxnard College. This initiative has resulted in an overall increase in security and awareness on all five participating campuses.

Georgia Tech operates one of the most complex networks in the world. The institute has more than 30,000 machines accessing the backbone daily. Most legacy, state-of-the-market, and state-of-the-art architectures are present in some form on our campus network. The risk of compromise and loss of intellectual property is constantly a focus of the information systems audit function. The Department of Internal Auditing has been charged with reviewing each department and administrative area at the Georgia Institute of Technology within a five-year time frame. To accomplish this, the department divided Georgia Tech into approximately 134 auditable entities. Annually, the University System of Georgia Board of Regents conducts a risk assessment of all critical systems across the 34 institutions that comprise the USG. Each member university is asked to complete the assessment. This assessment is focused at an enterprise-level university system and, upon completion, points to those systems/areas that are due audit attention.

Rochester Institute of Technology (RIT) is the 11th largest private university in the United States with approximately 22,500 hosts on our network. We have one of the largest computer science and information technology programs in the nation, with 3,000 full-time students currently enrolled and 4,500 students projected within the next five years.

Concern has been growing within RIT regarding the increasing number of security threats and legal privacy mandates such as the Gramm-Leach-Bliley Act (GLBA) and Family Educational Rights and Privacy Act (FERPA).

In 2002, I discussed with the director of risk management and the VP of finance and administration the need to uncover technology and security gaps. I brought up that the proper context for evaluating security technology and gaps could not exclude the people and processes, which are more accurately measured during a security posture assessment. The classic capability maturity model (CMM) triad consists of people, technology, and processes. We decided to locate an objective outside vendor to conduct a campus-wide security posture assessment.

As of fall 2003, the University of Connecticut network consists of approximately 20,000 hosts, 11,000 of which are in the residential halls. Our commercial Internet link is about 200 Mbps, and the Internet2 link is 155 Mbps. We have been using NetReg as our MAC-based automatic host registration system since 2000. We use Nessus for scheduled and on-demand network vulnerability testing.

The Security and Policy organization at Purdue University originally made vulnerability scanning services available to systems administrators in order to help them identify the weaknesses within the system they manage. This service was very rudimentary; an administrator would send a request to a security and policy analyst who would perform the scan in the evening and then e-mail the results to the administrator. These scans were performed by a single desktop workstation using the ISS Internet Scanner software. As time progressed, more and more administrators required scans to help comply with various federal and state regulations and university policies. Since vulnerability scanning software requires a significant amount of processing and network resources, this was quickly eating up large amounts of time for the analysts administering the scans. To address this, Security and Policy initially tried to implement Scanager, a Web interface from Indiana University, for the ISS Internet Scanner. To help with this, Security and Policy teamed up with Dr.

During fall 2003, a large scale Internet worm (W32.Blaster) exploited a widely known Windows operating system vulnerability throughout academic institutions in the United States. This worm infection presented serious risks to the integrity and availability of computing systems attached to the campus network. In response to this vulnerability, UC Davis developed and implemented several emergency measures to identify susceptible Windows remote procedure call (RPC) services and provide corrective tools and information to remove the vulnerability or, if necessary, disinfect worm-infected computers. This vulnerability reduction and infection removal effort specifically included: • An individual vulnerability probe that was initiated against a computer that was used to access a Web-based campus application. If vulnerability was detected, the user Web browser was redirected to information describing corrective resources. Authentication was not permitted unless relevant security patches were installed. Due to broad campus usage of Web-based authentication services, this vulnerability scan compelled many students, staff, and faculty to apply critical security patches.

SafetyNet (SN) was written by VT (Virginia Tech) staff to empower DIT (Distributed IT) staff and end users to do remote security vulnerability scanning of their computing resources. Our university had no centrally managed security vulnerability assessment tool that allowed this with the necessary level of granular management. The onus was upon IT (central and distributed) staff and end users to identify and proactively run free tools to test their systems locally and remotely. SN is unlike other vulnerability scanning systems (such as Purdue's VSC or Indiana's ITSO tools). SN is not a NetReg or quarantine service. It is an extensible framework for building a suite of scanning tools into a standard web based interface which maintains authentication, authorization, IP and DNS information, scan history and remediation documentation in a secure, stable and scalable environment.