UC Davis Vulnerability Scanning and Remediation 2005 Larry Sautter Award UC Davis, Information and Education Technology
UC Davis Vulnerability Scanning and Remediation • Project description and background • Project Objectives • Protecting the campus network • Scalable technology • Education • Questions
Project Description A proactive approach to reducing threats to computing resources and enhancing the protection of university electronic information.
Project Objectives • Protect the integrity of the campus computing environment • Provide a cost-effective solution for vulnerability scanning and remediation • Develop a scalable system • Educate campus computer users, support staff and system administrators
Timeline • September 2003 • Temporary scanning system deployed to detect RPC vulnerabilities • October 2003 • Reduction in vulnerable and/or infected systems on campus network from more than 700 to fewer than 40 in four weeksMay 2004 • Planning for a permanent vulnerability scanning system was initiated • September 2004 • Computer Vulnerability Scanning Policy adopted by Campus • Rebuilding/redeployment of the campus vulnerability scanning system components • Threat analysis subscription begins • Database upgrades made • January 2005 • Honeypot integrated into permanent scanning system • June 2005 • Intrusion detection system (IDS) integrated into vulnerability scanning system • July 2005 • Campus vulnerability scanning system is in full production mode
Computer Vulnerability Scanning Policy • All computers, servers, and other electronic devices connected to the campus network shall be kept free of critical security vulnerabilities. • Individuals whose computers present critical security vulnerabilities must correct those vulnerabilities in a timely manner before connecting to the campus network. • Computers found to contain critical security vulnerabilities that threaten the integrity or performance of campus network will be denied access to campus computing resources, and may be disconnected from the campus network to prevent further dissemination of infectious or malicious network activity.
Vulnerability Assessment Mechanisms • Nessus (scanlite perl module) is used to scan campus systems daily for 1-3 vulnerabilities • Nessus is used to identify compromised systems during web-based authentication • Labrea (honeypot) is used to identify malicious network traffic on an unannounced network segment • Bro (IDS) identifies malicious network traffic. Bro can use the snort rule set.
Vulnerability Assessment Database • IP Address • Date • Type (honeypot, scan, IDS) • MAC address • Username
Input Sources • VLAN assignments (What IPs shall we scan?) • VLAN technical contact (Who do we contact if there is a problem?) • ARP table records (What MAC address is associated with a particular IP?) • MAC address ownership (Who registered a particular MAC address?) • Web authentication (What IP is attempting to authenticate to a UCD web site?) • Threat selection (What threats represent highest risk to campus?) • Web/Daily Scan Capability (What Nessus security plug-ins are available?)
Faculty, Staff and Students • Formal discussions with senior campus administrators and advisory groups • Email alerts/announcements • Print and Web publications • Posters and Flyers • Self-initiated scans • Scan results pages
Technical Staff • Formal discussions • Computer & Network Security Report (secalert.ucdavis.edu) • Email notifications • “Top Ten” graphs
Lessons Learned and Next Steps • Nessus limitations • Reliance on campus unit system administrators • Enhance integration with Remedy trouble-ticketing system • Product integration via database is not readily available
Contact Information • Robert Ono, firstname.lastname@example.org