Vulnerability scanning is a process of remotely examining hosts on a network for known, detectable vulnerabilities and misconfigurations. The types of vulnerabilities found depend on:
- the scanner used
- the way the scanner is configured (the "scan policy"),
- the amount of information the target host or network reveals to the scanner
In a typical network vulnerability scan, the scanner will attempt to connect to hosts in the target network in various ways to determine which ones are responsive ("host discovery"). Discovered hosts are subsequently interrogated to find open ports for the scanner to probe ("port scanning"). Any open ports will be tested for specific vulnerabilities that match the type of service detected on that port.
Since many tests rely on self-reporting by the host (such as software version numbers reported by the host), there is a potential for false positives and false negatives in any scan. One way to address this is through credentialed scanning, where the scanner is provided with an account to log in to the target host and directly query the status and configuration of the operating system and installed software.
Expand All Content
IIA offers a free monthly scanning service to units that would like regular scans of their networks without the cost of maintaining their own local scanning infrastructure. This service is an appropriate option for networks that are accessible from campus, or where the scanner can be allowed through a firewall.
The monthly scanning service is free to U-M units, and offers:
- Nessus scans at a time and frequency of your choice
- Use of our tested scan policy, customized to fit your needs
- Scan reports automatically emailed to your choice of contacts at the conclusion of the scan
- Support for PGP/GPG-encrypted scan results
- Assistance from IIA in interpreting scan results, reporting false positives, and troubleshooting scan issues
Units may use the service to scan U-M-owned networks that are reachable from IIA's scanning server. For networks that are not normally reachable due to a firewall, an exception would need to be created for the scanner in order to obtain full visibility of the target network.
IIA conducts quarterly vulnerability scans of the entire network address space registered to the University of Michigan. These scans are included in IT Security Essential, a suite of services provided by IIA to protect university IT resources. The scans come from a scanner positioned outside the university to give units the perspective of what an attacker can see from outside university networks. Detailed vulnerability reports are provided to the identified contact person in a unit (as listed in the ITS Network Information Database—NetInfo) with the expectation that corrective actions will be taken.
IIA occasionally performs very narrowly-targeted scans of all campus networks to find high-risk vulnerabilities that pose an imminent threat. When this occurs, an e-mail notification will be sent to network administration lists such as FLN to advise of the scope and timing of the scan.
IIA performs network vulnerability scans using the Nessus vulnerability scanner. When campus-wide scans are performed, every effort will be made to notify network owners in advance. Units that observe unexpected scan traffic may contact firstname.lastname@example.org with the relevant source and target IP address to determine whether an IIA scan is the root cause.
Vulnerability Scanning Tools for Units
IIA does not provide licenses to units for specific vulnerability scanners. If a unit would like to perform regular vulnerability scans, we recommend first evaluating the IIA monthly scanning service to see if it will meet those needs.
For units that wish to perform scans of large private networks:
IIA recommends the Nessus vulnerability scanner. The Nessus scanner can be downloaded and installed for free, but requires the purchase of a ProfessionalFeed subscription to obtain access to the plugins that check for vulnerabilities. A one-year subscription is $1,500 and can be purchased through Tenable Network Security.