View the HTML formatted version of this message at
http://safecomputing.umich.edu/messages/vulnerability-scanning.html
IIA

IIA Service Update: Vulnerability Scanning

Dear Security Community Member,

As we all start a new academic year, we'd like to let you know about some important changes to IIA's vulnerability scanning services.

The university's site license for eEye's Retina Vulnerability Scanner expires at the end of this calendar year and will not be renewed. If you are currently using Retina to perform local vulnerability scans, there are several options available as of September 1:

  • Leverage IIA's Monthly Vulnerability Scanning Service.
    IIA currently offers a free vulnerability scanning service using the Nessus vulnerability scanner. An IIA analyst will work with you to develop a scanning policy and results will be emailed to you after each scan. Scans are performed from a campus network, can traverse firewalls, and credentialed scans are also supported. IIA currently provides this service for approximately 20 different campus units. More specifics and an FAQ about the IIA Monthly Scanning Service are available on the Safe Computing website.

  • Use Retina Community Edition.
    eEye recently released a free version of Retina that can be used for up to 32 IP addresses at a time. This is a good option for performing ad hoc scans of a small number of machines e.g. before admitting new machines onto a network, or to satisfy RECON testing requirements. It can also be used to periodically scan a small number of machines on a regular basis. Aside from the limit of 32 IP addresses, the Retina Community Edition does not include PCI scanning/reporting, database scanning, web application scanning, or HTML reports.

  • Obtain a license for a vulnerability scanner such as Nessus.
    This approach is best for large units that want to manage their own vulnerability scanning process. While the university will no longer provide a site license for a vulnerability scanner, units may purchase a Nessus license for $1,200/year. This is the same scanner that IIA uses to perform the campus-wide external quarterly vulnerability scan and the Monthly Vulnerability Scanning Service mentioned above.

There is new vulnerability management content on the Safe Computing website that provides more detail on the IIA service.

If you have any questions or concerns about these options or about the decision to discontinue the license for Retina, please contact iia.vulnscans@umich.edu.