VISC Vulnerability Management Scanning Guideline

ovenforksqueeΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

53 εμφανίσεις


VISC
Vulnerability Management

Scanning Guideline



Vulnerabilit
y Management Scanning Guideline


Last Revised: 10/07/11

Page

ii


REVISION CONTROL


Document Title:

VISC Vulnerability Management
Scanning Guideline

Author:

Click here to enter
author
.

File
Reference:

VISC Vulnerability Management Scanning Guidelines DRAFT. docx

Revision
History


Revision
Date

Revised By

Summary of Revisions

Section(s) Revised

10/07/11

Danita Leese

Copy and paste to new template

All

10/17/11

Kerry Boyer

Added Web
Application Scanning

6

Review / Approval History


Review Date

Reviewed By

Action (Reviewed, Recommended or Approved)

02/07/2012

VISC Governance

Approved





Vulnerabilit
y Management Scanning Guideline


Last Revised: 10/07/11

Page

iii


Table of Content
s

Pa
ge

1.0

OVERVIEW
................................
................................
................................
................................
...........

4

2.0

FOCUS OF VULNERABILITY MANAGEMENT SCANNING GUIDELINES

................................
................

4

3.0

REQUIRED ELEMENTS

................................
................................
................................
........................

4

4.0

VULNERABILITY ASSESSMENT PROFILES
................................
................................
..........................

5

5.0

VULNERABILITY ASSESSMENT AND REMEDIATION AGREEMENT

................................
.....................

5

5.1

Purpose

................................
................................
................................
................................
.......

5

5.2

Scope

................................
................................
................................
................................
..........

5

5.3

Authorization to Access Resources

................................
................................
................................

6

5.3.1

Service Degradation and/or Int
erruption

................................
................................
.............

6

5.3.2

Campus Point of Contact Duri ng Scanning Period

................................
..............................

6

5.3.3

VISC Poi nt of Contact During Scanni ng Period

................................
................................
...

6

5.3.4

Assessment Period

................................
................................
................................
...........

6

5.3.5

Reporting

................................
................................
................................
.........................

7

6.0

WEB APPLICATION SCANNING
................................
................................
................................
............

7

6.1

Campus completion of the web application onli ne request form

................................
.......................

7

6.2

VISC production of the executi ve and technical report for each application scanned

.........................

8

Time line for remediation

................................
................................
................................
...............

8

Time line for campus review of scans

................................
................................
.............................

8

7.0

AGREEMENT TO REMEDIATE FINDINGS
................................
................................
.............................

8

8.0

FAILURE TO REMEDIATE
................................
................................
................................
.....................

9

9.0

PAYMENT CARD INDUSTRY (PCI) VULNERABILITY SCANNING

................................
..........................

9

10.0

STEPS TO PERFORM VULNERABILITY SCANNING AGREEMENT

................................
.....................

10

Primary Contact:

................................
................................
................................
.........................

10

Secondary Contact:

................................
................................
................................
....................

10

Vulnerabilit
y Management Scanning Guideline


Last Revised:
00/00/00

Page

4

of
10

1.0

OVERVIEW

The Vi
rtual Information Security Center (VISC) Vulnerability Management Scanning Guideline is an extension
to the CSU Information Security Policies and Standards and is intended to define a procedure of tools and
services to audit,
and to help
parti
cipating campuses
in the identification and remediation of security
vulnerabiliti
es. The program was created by

and is maintained and operated for VISC participating campuses.
In particular, the program provides for

the following
:



Consultation
regarding

the benefits of the Vulnerability Management Guidelines



Setting up
the managed tools recommended by VISC



Initial audit of a Campus’s network infrastructure through review of documents, configurations, network
diagrams and interviews



In
-
depth netwo
rk
-
based assessment of workstations, servers, devices and the overall security of the
network infrastructure



Coordination, collaboration and general technical consultin
g before, during and after the a
ssessment



Follow
-
up documentation/reports and addit
ional
consulting as needed after the a
ssessment

The intent of vulnerability scanning being performed by the VISC is to independently identify technical
weaknesses in systems on the campus networks and prioritize remediation based on the importance of
affected systems. Such assessments will allow campus systems to be properly updated, patched
, and
systems
containing Protected Data can be properly configured to leverage access and control against security
intrusions.

2.0

FOCUS OF VULNERABILITY MANAGEMENT SCA
NNING GUIDELINES

The focus of the Vulnerability Managemen
t Scanning Guideline

is campus
-
wide, however, special attention
and prioritization will be given to the following:

1.

Campuse
s that process University data identified and classified as “Level 1 or L
evel 2” data
.


2.

Campuse
s requesting additional assistance with auditing/assessing their network infrastructure or
specific devices for vulnerabilities.

3.0

REQUIRED ELEMENTS

The required elements for Vulnerability Management Scanning Guidelines include, but
are not limited to, the
following:

1.

A documented req
uest by and an agreement with

the Campus for a network
-
based or web application
Vulnerability Assessment. This will include identification of which assessment profiles the Campus
requires.

2.

Timely a
nd bi
-
directional coordination, collaboration and communication between VIS
C and the
Campus receiving the a
ssessment.

Vulnerabilit
y Management Scanning Guideline


Last Revised:
00/00/00

Page

5

of
10

3.

Identification of and authorization to assess

the range of IP addresses assigned to or “owned” by the
Campus.

4.

Appropriate network

and/or physical access to the Campus networks and resources, as agreed to by
both parties.

5.

Sufficient notif
ication by VISC as to when the a
ssessment will take place, what tests will be performed
(e.g. Network or Web Application Scanning) and what sour
ce IP address range will be used in the
execution o
f a
ssessment activities.

6.

Appropriate documentation of findings, results and recommendations so as to facilitate the remediation
of vulnerabilities by the Campus themselves or in conjunction with other r
esources (e.g.
Telecommunications, Network Services, Systems, etc.), if required.

4.0

VULNERABILITY ASSESSMENT PROFILES

The following templates des
cribe common types of security a
ssessments that may be performed. Custom
combinations of profiles can be created
as needed based upon Campus and/or VISC requests and
recommendations.

Profile 1: Network Scanning Vulnerability Assessment

Perform a network
-
based Vulnerability Assessment of the Campus’s network (a subset or all of the following
may be performed based
upon the Campus’s needs and/or the recommendation of VISC) using the
recommended VISC vulnerability scanning tools.

Profile 2: Web Application Vulnerability Assessment

Perform a Web Application Vulnerability Assessment of the Campus’s web applications (a
subset or all of the
following may be performed based upon the
Campus’s needs and/or the recommendation of VISC) using the
recommended VISC vulnerability scanning tools.

5.0

VULNERABILITY ASSESSMENT AND REMEDIATION AGREEMENT

5.1

Purpose

The purpose of this documen
t is to set forth an agreement regarding security scanning activities offered by the
VISC to the Campus. In exchange for these scanning services, the campus agrees to engage in activities for
the remediation of Critical and High Risk
findings as defined i
n Section 7
, Agreement to Remediate Findings.

Assessments may be conducted to:



Ensure integrity, confidentiality and availability of information and resources



Assess the campus’s network devices, systems and web applications for vulnerabilities

5.2

Scope

This Agreement covers all computer and network devices owned or operated by the VISC campus. This
Agreement also covers any computer, network and mobile devices that are present on the campus’s premises,
Vulnerabilit
y Management Scanning Guideline


Last Revised:
00/00/00

Page

6

of
10

but which may not be owned or operated by the
campus. The VISC will not perform Denial of Service (DoS)
activities and due care will be taken not to create a DoS condition on the campus network. However, VISC
makes no assurance that a networked device will not be adversely affected by assessment act
ivities that
results in a loss of connectivity and/or the need for a system reboot.

5.3

Authorization to Access Resources

When requested, the campus consent to access resources shall be provided to VISC staff fo
r the purpose of
performing an a
ssessment. The

campus hereby provides its consent to allow VISC to access its networks,
firewalls and other devices as designated in this Agreement to the extent necessary to

allow the VISC to
perform the a
ssessment and scanning activities authorized. The campus shall p
rovide protocols, addressing
information, device configurations, policies and network connections sufficient for VISC to execute the tools
required to perf
orm network scanning and other a
ssessment tasks.

This access may include:



User level and/or sys
tem level access to any computing or network device.



Access to information (electronic, hardcopies of documentation, etc.) that may be produced,
transmitted or stored on campus equipment or premises.



Access to work areas (labs, offices, cubicles, stora
ge areas, etc.)
.



Access to interactively monitor and log traffic on campus networks as required and appropriate.

5.3.1

Service Degradation and/or Interruption

The network scanning or other
assessment activities
may affect

network performance and/or availability.
The campus releases VISC of any and all liability for damages that may arise from network availability
restrictions caused by

the network scanning or other a
ssessment activities, unless such damages are the
result
of VISC’s gross negligence or intentional misconduct.

5.3.2

Campus Point of Contact During Scanning Period

The campus agrees to identify a person to be available if the VISC Assessment Team has questions
regarding data discovered or requires assistance.

5.3.3

VISC Poi
nt of Contact During Scanning Period

VISC agrees to identify the personnel performing
and involved in the a
ssessment activities in the event the
campus needs to contact them. This will include e
-
mail and phone numbers o
f the personnel performing
the a
ssess
ment.

5.3.4

Assessment Period

The campus and VISC Assessment Team agree to identify the allowable dates and times for the scans
and testing to take place (during normal M
onday
-

F
riday

business hours), as well as what IP range the
scans will originate from if
the scan originates from a remote location on campus (see end of document).

Vulnerabilit
y Management Scanning Guideline


Last Revised:
00/00/00

Page

7

of
10

5.3.5

Reporting

VISC agrees to create a final Vulnerability Assessment findings report and deliver it to the cam
pus within
seven business days unless otherwise noted
. This report shall d
escribe the findings and recommendations
for remediation by Campus personnel. VISC personnel will be available for assistance with explanations of
the findings and recommendations.

Note: VISC will inform the campus of any Urgent or Critical vu
lnerabilitie
s found during the a
ssessment
within 24 hours.

6.0

WEB APPLICATION SCANNING

In order to maintain the integrity and security of web application
s

at California State University Campuses, the
VISC uses the Acunetix web scan application. This tool can scan your application for a multitude of potential
breach

points such as SQL Injection, c
ross site scripting,

web security, directory traversal, Ajax a
pplication
security, and Google h
acking to name a few.


U
se the request form for all scan requests as the tool can only scan one application at a time and must be
coordinated with the campus web team. Once the scan request has been received, a member from
the VISC
Scan Team will contact you to schedule the scan. The VISC Scan Team replies to scan request
s

with in two
business days.


The Acunetix tool is very aggressive and performs a scan similar to an actual attack. It is imperative that the
system you are

requesting be scanned is a non
-
production system. The VISC Scan Team recommends that
the

application run on a VM as this allows for a snap shot of the configuration to be used to restore the system
and application after a scan. If a VM is not available, a

recent back up within 24 hours of the scan
is
recommended.


If the application requires user

accounts to be access
ed
, the VISC

Scan Team will need to have account
created in order for the application to access the appropriate areas.


Temporary accounts wi
ll need to be
created in both

user and power user roles
so
that
the application can test appropriate security settings.


Appropriate firewall exceptions must be put in place in order to allow the Acunetix scanner to access the
requested web application.
These exceptions should be coordinated with the campus networking team and
operating system team if there are host based rules deployed. In most cases
,

this
is

port 80 and 443
of
the
appropriate VISC scanner.

6.1

C
ampus
completion of the

web application online

request form



Identify the campus being scanned.



Identify staff members to receive the vulnerability report.



Identify the url of the application.



Verify there is a current backup on file.



Provide temporary user and or power user level accounts.



Verify

that

t
he application is a test or non
-
production application.



Confirm date and time
for
scan windows.

Vulnerabilit
y Management Scanning Guideline


Last Revised:
00/00/00

Page

8

of
10

6.2

VISC
production of the

executive an
d

technical report
for
each application scanned

Time line for remediation

The VISC Scan Team uses the
Open Web
Application Security Project (
OWASP
)

Top 10 Application
Security Risks for mitigation and remediation time lines. The following link provides more information
on the OWASP standard.

https://w
ww.owasp.org/index.php/Top_10_2010
-
Main

Time line for campus review of scans

Campus must review the scans within three business days and provide feedback.
Note:

If false
posi
tives are found, VISC requires in writing
proof of the justified false positive(s
).

7.0

AGREEMENT TO REMEDIATE FINDINGS

All remediation activities are the responsibility of
the campus,
and
remediation shall be performed by the
campus or the c
ampus’s designee. The Campus has engaged VISC to perform the assessment and agrees to
complete
the following remediation activities consistent with the campus Change Management process. The
following are VISC suggested corrective timeframes based on criticality

but are not meant to supersede current
campus Change Management processes. The Campus has

the option to accept the risk imposed by this
vulnerability and refrain from fixing it or implementing a mitigating control based on Change Management
processes or operational priorities.

1.

The VISC recommends that all
Urgent Severity Vulnerability

findi
ngs should be addressed within 2
business days or remediated consistent with the current campus Change Management process.

2.

The VISC recommends that all
Critical Severity Vulnerability

findings should be addressed within 5
business days or remediated con
sistent with the current campus Change Management process.

3.

The VISC recommends that all
Serious Severity Vulnerability

findings should be addressed within
20 business days or remediated consistent with the current campus Change Management process.

4.

T
he VISC recommends that all
Medium & Low Severity Vulnerability

findings should be addressed
within 120 business days or remediated consistent with the current campus Change Management
process. The Campus has the option to accept the risk imposed by this v
ulnerability and refrain from
fixing it or implementing a mitigating control.

An
Urgent Severity Vulnerability

finding is one that imposes serious and immediate risk upon the Campus
and/or University and exists on a device that contains personal data suc
h as social security numbers, or is
associated with an “essential” device (e.g. a domain controller or mail server) infected with spyware or
malware.

Note: that the existence of personal data on a machine that has a High vulnerability is what elevates the

vulnerability to urgent, not simply the existence of personal data on a device.

1.

Any vulnerability will be deemed Urgent if it fails a compliance test (such as HIPPA or PCI)
.


2.

Any vulnerability that could lead to a loss of personal information (suc
h as social security number
stored on a particular server)
.

Vulnerabilit
y Management Scanning Guideline


Last Revised:
00/00/00

Page

9

of
10

3.

Services that are accessible from the Internet that provide open access for unauthorized users (e.g. an
open mail relay to the internet, a telnet server with a weak or no password on a default
account, etc.)
.


A
Critical Severity Vulnerability

finding is one that imposes serious but not immediate risk upon the
Campus and/or University. One such example is a workstation infected with a virus or spyware, or a
mis
-
configured firewall allowing inapp
ropriate access to sensitive data that has other security controls
that prevented it from being accessed.

A
Serious Severity Vulnerability

finding is one that imposes moderate risk upon the Campus and/or
University, such as illegally downloaded copyright
ed material found on a server, or unlicensed
software installed on a server.

A
Medium & Low Severity Vulnerabilit
y

finding is one that imposes some risk upon the Campus
and/or University, but is not significant enough to require immediate attention and c
an be scheduled
for future upgrades or maintenance windows. One such example would be a computer running
Windows NT 4.0 without a host
-
based firewall installed (as Windows 2003, XP and Vista support
natively).

8.0

FAILURE TO REMEDIATE

Urgent, Critical and Se
rious Severity Vulnerabilities findings represent significant exposure to the Campus and
University, and require immediate attention.

Failure to take the remedial action identified in this agreement could substantially increase risk and exposure
to the com
munity at large. Failure to remediate in a timely manner may also expose the Campus’s
environment to compromise across those systems identified in the Assessment.

9.0

PAYMENT CARD INDUSTRY (PCI) VULNERABILITY SCANNING

PCI Vulnerability scanning is required for all PCI merchants. Perform internal and external network vulnerability
scans at least quarterly and after any significant change in the network. After passing a scan for initial PCI
DSS compliance, an entity must,

in subsequent years, pass four consecutive quarterly scans as a requirement
for compliance.

Per PCI, an Approved Scanning Vendor (ASV) must perform quarterly external sca
ns. Qualys is an ASV that
will let us run the scans and then submit them for attest
a
tion. Qualys will need at least

three (3) business days
lead
-
time to review and approve any reports submitted for attestation.

For VISC to provide PCI vulnerability scanning, each request must follow these guidelines:



A campus must define for VISC the de
vices that are in
-
scope.



A campus must send VISC the list of in
-
scope IP addresses to be scanned.



A campus must indicate if
PCI systems are segmented.



A campus must provide date and times within the quarter (not more than three weeks before the end
of the

quarter).

VISC will perform the quarterly scans of the campus devices that are in scope.

Vulnerabilit
y Management Scanning Guideline


Last Revised:
00/00/00

Page

10

of
10

VISC will produce executive and technical reports for each PCI scan.



VISC will review the reports within three business days



Campus must review the scans and provide
feedback. Note: If false positives are found, VISC
requires, in writing, proof of the justified false positive(s). This information will help the attestation
process.



When
a
campus agrees to either
passed PCI reports or failed PCI reports with exceptions

noted, VISC
will submit the external PCI reports to Qualys for attestation. Note: Be aware that Qualys will not take
any failed reports unless all of the failed vulnerabilities can be justified.

10.0

STEPS TO PERFORM VULNERABILITY SCANNING AGREEMENT

Contact t
he Lead for the specific vulnerability scanning assessment that is required:

For Network
-
based vulnerability scanning assessments, please contact the following:

Primary Contact:

Leigh Lopez

Email:
leigh.lopez@csun.edu

Phone: (818) 677
-
3908


Secondary Contact:

Adam Cook

Email:
adam.cook@csus.edu

Phone: (916) 278
-
2266

If neither responds within 48 Hours, please contact: Kerry Boyer,
visc@calstate.edu
.

For Web Application vulnerability scanning assessments, please use the following URL:
http://www.csus.edu/irt/is/services/
webapplicationscan.html

or contact the following:

Primary Contact:

Adam Cook

Email:
adam.cook@csus.edu

Phone: (916) 278
-
2266


Secondary Contact:

Leigh Lopez

Email:
leigh.
lopez@csun.edu

Phone: (818) 677
-
3908


If neither responds within three business days, please contact: Kerry Boyer,
visc@calstate.edu
.

The lead or secondary contact will respond in a timely manner.