UCI has embarked upon a more formalized way to track and manage information security vulnerabilities on the network as part of an ongoing effort to reduce risk. Please click the sections below to learn more about the vulnerability management program, related network disconnect procedure, and ways OIT can help keep your systems and the network secure.
Vulnerability Management Program
A vulnerability is a weakness or flaw that an attacker can potentially use to gain unauthorized access to information on systems, networks or applications. Not only is the vulnerable host a risk to itself, but once compromised, it can then be used to attack other hosts on campus. Vulnerability management is the practice of identifying, classifying & remediation of these vulnerabilities before individuals with malicious intent are able to use them to exploit and compromise systems.
Examples of some vulnerabilities:
- Operating systems that are no longer supported by the vendor (Windows 2000, Windows 2003, Windows XP, outdated Linux, etc)
- Windows 7 will reach its End of Life (EOL) support on January 14, 2020. Please replace or upgrade devices before then.
- Missing patches for operating systems and applications (Adobe, Flash, Java, Microsoft Patches, PHP, Apache, etc)
- Websites with weak security code and input validation errors (SQL Injection, Cross-site Scripting, etc)
- Privilege Escalation (Gain elevated access when you shouldn't be able too)
As a proactive measure UCI has implemented a vulnerability management program on campus to discover and remediate these potential weaknesses or vulnerabilities before they can be discovered and taken advantage of by those with malicious intent. We offer several services and tools as part of this vulnerability management program, including our campus host based vulnerability scanning software Tenable SecurityCenter and our web application vulnerability tool HCL AppScan.
Tenable SecurityCenter is used to scan the campus network for host, network and some web application vulnerabilities. This tool receives regular updates of the latest vulnerability signatures from threat intelligence sources so we can become aware of and discover new vulnerabilities as they come out. The Office of Information Technology (OIT) security team runs regular campus wide vulnerability scans using SecurityCenter to discover vulnerabilities on campus systems and notify the appropriate groups for remediation. In addition a self-service option is offered in SecurityCenter that any group on campus can use to run their own custom scans. Regular reporting is also provided to groups on campus to keep them up-to-date on their current vulnerability status within the tool.
HCL AppScan can also be used to perform in-depth analysis of web applications for coding errors that could lead to the application being vulnerable to attacks. Scans using this tool are currently performed by request from the OIT Security team, please refer to the "How Can OIT Help?" section below on how to request a vulnerability scan of your web application using HCL AppScan.
Network Disconnect Procedure
When a user connects a device to the campus network, they are responsible for making sure their devices adhere to the University's standards. The user accepts that the proper software configuration and patches are in place. However, if a system is found to not have these security measures, their access to the network may be disconnected. Campus contacts will be notified of systems that don't meet these security measures before network access is suspended, allowing them time to address the identified issues first. More information on the relevant campus policies can be found here: Sec. 714-18: Computer and Network Use Policy, Sec. 800-13: UCInet Guidelines, Sec. 800-18: Security Guidelines for Computers and Devices Connected to UCInet, as well as UC Minimum Security Standard.
Due to the severity of information security threats and the need to protect UCI assets, vulnerabilities discovered by OIT will be subject to UCI's network disconnect policy. Hosts with vulnerabilities that meet the guidelines listed below will be disconnected from the network if not addressed within the specified time frame noted. Several notifications will be sent out to campus contacts prior to network access being disconnected as noted below. Regaining access to the network will be contingent upon providing documentation to the OIT that the vulnerability identified has been addressed.
Network Disconnect Policy Chart
UCI Network Disconnect Time
First time reported by our regular security scans
3 weeks after 1st Notification
• Automated Vulnerability Reports from SecurityCenter
• 1st Notification from OIT (After discovered date)
• 2nd Notification from OIT (After 1 week)
• 3rd Notification from OIT (After 2 weeks)
• Final Notification from OIT / Network Disconnect (After 3 weeks)
* Vulnerability Severity - Based on level of severity assigned to the vulnerability within our vulnerability management tools.
* Exploitable - Based on if there is a known exploit for the vulnerability identified.
Network Disconnect Notification Procedure
Within our vulnerability management tools, we have identified campus contacts for the various areas of campus. They are responsible for keeping that membership up-to-date by notifying OIT of any changes that need to be made. Vulnerability reports are auto generated from these tools to area contacts to keep them informed of the various vulnerabilities discovered on their assigned systems. They also highlight the systems of the highest importance including those that meet the above network disconnect guidelines.
Campus contacts with systems which meet the above guidelines will receive the 1st notification via email warning of impending network disconnect of the host(s) if not addressed by the specified date in the email. If not addressed after the first week a 2nd email notification will be sent out as a reminder that the identified vulnerability must be addressed by the date in the email. A third notification will be sent out the second week if the vulnerability still has not been dealt with. Finally if the identified vulnerabilities on the host(s) have not been addressed by the designated date, a final email notification will be sent out stating that network access of the host(s) will be disconnected within 24 hours.
Verification & Network Restoration Procedure
When a host has been blocked using the above process, this can be verified by looking up the host using the OIT Blocked List tool. This tool allows you to look up a system by MAC address and see if and why it may be blocked. In order to regain access to the network, the campus contact will need to reach out to OIT to verify that the vulnerability is being addressed now. Once approved, OIT will restore network access within 24 hours.
How Can OIT Help?
How can I get access to the Tenable SecurityCenter vulnerability management tool to view my system's vulnerability information and run custom scans?
- Visit the Information Security Service Request Catalog to submit the "Tenable SecurityCenter Vulnerability Management Tool Access Request" form and OIT will fulfill your request as soon as possible or will reach out to you if any additional information is needed. Please allow up to 3 business days to process your Tenable SecurityCenter requests.
How do I use the Tenable SecurityCenter tool?
- Please refer to the Tenable SecurityCenter Vulnerability Management Tool - UCI User Guide.
- Also refer to the Tenable SecurityCenter Training Video.
What if I need clarification about the information provided by the tool?
- Please contact OIT at https://www.oit.uci.edu/help/security/ where an OIT Security Engineer can assist you.
What if I need assistance addressing vulnerabilities on my systems?
- Based on priority, OIT Security staff can temporarily provide hands-on technical assistance on your systems where possible, please contact OIT at https://www.oit.uci.edu/help/security/ for more information.
Does OIT provide assistance for keeping systems patched?
- Yes, OIT does provide Computing Support Coordinators access to a patching tool. Please contact OIT at https://www.oit.uci.edu/help/ for more information.
How can I get a more in-depth assessment of my web application security vulnerabilities?
- Visit the Information Security Service Request Catalog to submit the "Web Application Vulnerability Scan (HCL AppScan) Request" form. OIT will reach out to you for scheduling and if any additional information is needed. Please allow up to 21 business days to complete.