Vulnerability Scanning

Request a Scan

Print this form to request a vulnerability scan. (Only systems that you administer and that are directly connected to VCUNet may be scanned. If you are requesting a server scan, the server must be registered in the VCU Server Inventory Database.)

Overview

What is a vulnerability scanner?
A scanner is a computer application that profiles systems as it maps the targeted network. The current application can scan for the SANS/FBI Top Twenty vulnerabilities which classifies these into general operating systems like Windows or Unix. The SANS/FBI Top Twenty list is valuable because the majority of successful attacks on computer systems via the Internet can be traced to exploitation of security flaws on this list. These few software vulnerabilities account for the majority of successful attacks, simply because attackers are opportunistic – taking the easiest and most convenient route. They exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems.

What does a scan do?
In an effort to improve the security of University systems to protect against computer intrusions and compromises, it is important to understand what vulnerabilities our computers contain and present to the outside world. Equally important is eliminating or minimizing the risk presented by these vulnerabilities. It is of great importance that University systems staff know more about the University network than intruders or hackers. Scans provide a report of University computers that have potential or real vulnerabilities. These reports are confidential and will be given to systems administrators responsible for the systems. The reports include detailed information about vulnerabilities and exposures and instructions on how to minimize the associated risk and assist staff to identify, prioritize and correct the most critical vulnerabilities.

Process

What does the University scan?
The University vulnerability scanner performs regularly scheduled network-based security assessments of local area networks and creates a list of active machines. Each active machine scanned is evaluated against the top 20 vulnerabilities for the possibility (or probability) of compromise. The scan identifies these system weaknesses because they can result in unauthorized network access. The scanner then generates reports with detailed step-by-step instructions for eliminating security risks, and correcting vulnerabilities. The application does not scan for content; if a machine is turned on after the scan begin, the result will not be recorded. Results of these reports are furnished to the responsible systems administrator or authorized technical support manager.

What is expected of Systems Administrators/Technical Support Manager
System administrators are encouraged to correct flaws reported based on risk. The scans provide three levels of risk or danger. System administrators need to ensure that all systems are protected against the most common attacks. The Top Twenty list is designed to help alleviate the problem of listing too many vulnerabilities based on knowledge of leading security experts from the federal agencies, leading security software vendors, consulting firms, university-based security programs, CERT/CC and the SANS Institute.

Goals

What do we expect to accomplish?
The goal of the University scanning program is to identify computer system vulnerabilities for correction before systems are compromised. Eliminating these vulnerabilities reduces the risk to the University network, specifically, and the Internet as a whole.