IT ServicesStaff

Help and Support

Content-free design blue, green and red.

Vulnerability Scanning Policy

Introduction

1.1. The purpose of this policy is to allow IT Services within Loughborough University to scan devices attached to the university network for vulnerabilities. This is to assist in maintaining a secure and reliable infrastructure.

1.2. Vulnerability scanning may be conducted to:

  • Identify compromised systems within the campus network;
  • Identify virus infected machines within the campus network;
  • Identify poorly configured and potentially vulnerable systems attached to the campus network;
  • Any device requesting a firewall rule;
  • Investigate possible security incidents to ensure systems conform to Loughborough University’s security policies.

2. Scope

2.1. This policy covers all computers and communications devices owned or operated by Loughborough University and any computers or communications devices that are present on the campus network which are connected with agreed JANET proxy or sponsored connections. This is highlighted in the University AUP.

3. Scanning

3.1. Loughborough University IT Services will use industry leading software to carry out vulnerability scanning and audit reports.

3.2. A number of tools will be used for vulnerability scanning and the tool set will be reviewed annually. This includes: OpenSource, commercial packages and services provided by ESISS.

3.3. These tools will perform the following tasks:

  • Host Discovery – identifying computers listening on the campus network;
  • Port Scanning;
  • Operating System Detection – remotely determine the OS (Windows, Apple Macintosh or Linux);
  • Software Version Detection – Interrogating listening services to determine application names and versions;
  • Network based vulnerability scanning;
  • Operating systems security patch audits (Windows, Linux);
  • Configuration audit;
  • Web application vulnerability testing;
  • SQL database vulnerability and configuration auditing;
  • Password auditing, checking for default or blank passwords;
  • Anti Virus audit, checking out-of-date virus signatures and configuration errors.

4. Policy

4.1. In an effort to reduce IT Security risks and supplement existing security practices, IT Services will perform periodic vulnerability audits on devices connected to the campus network.

4.2. IT Services may also scan for vulnerabilities, which are currently being exploited in the wild.

4.3. Vulnerability audits will consist of campus network scans for:

  • Open communications ports;
  • Host operating system detection;
  • Host operating system patch levels;
  • Remote applications to identify known vulnerabilities or high-risk system weaknesses.

4.4. Any new systems or services should have passed a vulnerability scan before being connected to the production network.

4.5. Any systems or services which require off-campus access, are subject to a vulnerability scan before access is granted. This is to ensure that the machine posture is adequate.

4.6. All systems or services which currently have off-campus access enabled are subject to vulnerability scanning every six months.

4.7. Any systems or services which require access via the VPN service or Remote Working Portal are subject to passing a vulnerability scan.

4.8. Before IT Services carry out any vulnerability scans; server managers should be contacted to arrange a suitable time.

4.8. Vulnerability scanning will not search the contents of personal electronic files located on the system.

4.9. Scans should not cause disruption to the campus network or services hosted on systems being scanned. Device log files may reflect the scan that takes place.

4.10 Servers hosted within IT Services datacentres, will be subject to a three monthly automated authenticated security scan; and as such will require the service account Lunet\scan-svc to have local administrator permissions. If a software firewall is installed, a hole will be required to the scanning server's IP address.