Overview

The CUIT Security Team is providing a service to report on vulnerabilities found on the Columbia University Network. Through the process the CUIT Security team will distribute the results and findings discovered. The scan and the report will occur monthly, CUIT Security can not provide reports between the scheduled scans. The CUIT Security team can only provide advisement on how to to resolve findings, we can not assist with the actual work involved on the vulnerable system. CUIT Security has developed a page to assist with the understanding of vulnerabilities or CVE Common Vulnerabilities and Exposures. It can be found under the page labeled “Common Vulnerabilities and Exploits (CVE) Lookup”.

Types of findings

The solution is looking for vulnerabilities that attackers could exploit on the system. This could lead to data loss or downtime of the system. Vulnerabilities in systems and jeopardize the integrity of the system. 

Scanning Process

NormShield uses what is called Open Source Intelligence (OSINT) to gather information. As seen in the following diagram, passive scan doesn't touch the target company assets. Instead we find all required data from the internet, including search engine caches, archive[.]org, internet-wide scanners, VirusTotal, PassiveTotal, hacker sites, paste sites, deep/dark web, etc.



Frequently Asked Questions (FAQ)

Why do we need vulnerability management?:

In order to reduce information security risks, the CUIT Security conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. CUIT may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers. 

Does this replace the need for vulnerability management strategy?

No this service to identify the most critical findings but will not identify all vulnerabilities on a network. Additionally it will not have visibility into vulnerabilities on systems which are not internet accessible. 

Which systems/services/applications may be scanned?:

Any assets which are accessible via the Internet and apart of the Columbia University Network. 

When will vulnerability assessments be conducted?:

Scans occur once a month due to licensing cost of the service. We are limited to one scan a month to keep costs of the offering minimal. 

How can I verify one of the findings has been fixed?:

This will be verified the next time the scan runs and is reported to you. We encourage you to use your own vulnerability scanner to check as well!

How can I report a false positive?:

Send an email to cybersec@columbia.edu with the following information 

What data is collected and how will it be used?:

Vulnerability scanning and other passive detection capabilities will provide an inventory of vulnerabilities and the related criticalities. The vulnerability assessment processes will not aim to search the content of personal electronic files on the scanned systems unless they are exposed to the public. In addition, the vulnerability assessment processes should not cause network outages although system and application administrators may see log entries of the activity reflected in their logs.

What Information Security Policies, Strategies, and Standards is this based on?:

CUIT Security's minimum security standards form the basis of this program and requires that any system or application in scope be regularly assessed for security vulnerabilities:

Columbia University IT Policies and Strategies

https://cuit.columbia.edu/columbia-it-policies-strategies

Acceptable Usage Information Resources Policy

https://policylibrary.columbia.edu/acceptable-usage-information-resources-policy

Information Security Risk Management Policy

https://policylibrary.columbia.edu/information-security-risk-management-policy

Network Protection Policy

https://policylibrary.columbia.edu/network-protection-policy

Registration and Protection Endpoints Policy

https://policylibrary.columbia.edu/registration-and-protection-endpoints-policy

Registration and Protection Systems Policy

https://policylibrary.columbia.edu/registration-and-protection-systems-policy


My question is not listed here, what do I do next?:

Please Email cybersec@columbia.edu with any questions or feedback. 

Common Vulnerabilities and Exploits (CVE) Lookup