| Table of Contents | ||
|---|---|---|
|
...
NormShield uses what is called Open Source Intelligence (OSINT) to gather information. As seen in the following diagram, passive scan doesn't touch the target company assets. Instead we find all required data from the internet, including search engine caches, archive[.]org, internet-wide scanners, VirusTotal, PassiveTotal, hacker sites, paste sites, deep/dark web, etc.
Frequently Asked Questions (FAQ)
Why do we need vulnerability management?:
In order to reduce information security risks, the CUIT Security conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. CUIT may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers.
Does this replace the need for vulnerability management strategy?
No this service to identify the most critical findings but will not identify all vulnerabilities on a network. Additionally it will not have visibility into vulnerabilities on systems which are not internet accessible.
Which systems/services/applications may be scanned?:
Any assets which are accessible via the Internet and apart of the Columbia University Network.
When will vulnerability assessments be conducted?:
Scans occur once a month due to licensing cost of the service. We are limited to one scan a month to keep costs of the offering minimal.
How can I verify one of the findings has been fixed?:
This will be verified the next time the scan runs and is reported to you. We encourage you to use your own vulnerability scanner to check as well!
How
...
can I report a false positive?:
Send an email to cybersec@columbia.edu with the following information
Exemption Type: Business Requirement or False Positive
Asset: Hostnames/ IP Address
Vulnerability: RHSA-2015:1330: python security, bug fix, and enhancement update
Remediation Step: Upgrade python
Timeframe: It will require 6 months of effort to rewrite the code and to the latest version of python (display if business requirements)
False Positive Notes: Nexpose is reporting on the kernel incorrectly. Vulnerability impacts version Y and the installed version is X. (display if false positive)
What data is collected and how will it be used?:
Vulnerability scanning and other passive detection capabilities will provide an inventory of vulnerabilities and the related criticalities. The vulnerability assessment processes will not aim to search the content of personal electronic files on the scanned systems unless they are exposed to the public. In addition, the vulnerability assessment processes should not cause network outages although system and application administrators may see log entries of the activity reflected in their logs.
What Information Security Policies, Strategies, and Standards is this based on?:
CUIT Security's minimum security standards form the basis of this program and requires that any system or application in scope be regularly assessed for security vulnerabilities:
Columbia University IT Policies and Strategies
https://cuit.columbia.edu/columbia-it-policies-strategies
Acceptable Usage Information Resources Policy
https://policylibrary.columbia.edu/acceptable-usage-information-resources-policy
Information Security Risk Management Policy
https://policylibrary.columbia.edu/information-security-risk-management-policy
Network Protection Policy
https://policylibrary.columbia.edu/network-protection-policy
Registration and Protection Endpoints Policy
https://policylibrary.columbia.edu/registration-and-protection-endpoints-policy
Registration and Protection Systems Policy
https://policylibrary.columbia.edu/registration-and-protection-systems-policy
My question is not listed here, what do I do next?:
Please Email cybersec@columbia.edu with your request, indicating your departmental affiliation and security contact email address.any questions or feedback.