Columbia University Vulnerability Management
- Solomon F Prophete
- Former user (Deleted)
Overview
The CUIT Security Team is providing a service to report on vulnerabilities found on the Columbia University Network. Through the process the CUIT Security team will distribute the results and findings discovered. The scan and the report will occur monthly, CUIT Security can not provide reports between the scheduled scans. The CUIT Security team can only provide advisement on how to to resolve findings, we can not assist with the actual work involved on the vulnerable system. CUIT Security has developed a page to assist with the understanding of vulnerabilities or CVE Common Vulnerabilities and Exposures. It can be found under the page labeled “Common Vulnerabilities and Exploits (CVE) Lookup”.
Types of findings
The solution is looking for vulnerabilities that attackers could exploit on the system. This could lead to data loss or downtime of the system. Vulnerabilities in systems and jeopardize the integrity of the system.
Patch Management
The core function of the product is to identify missing patches and updates on systems. This means the software is out of date and has a security flaw which could be used to compromise the system.
Application Security and CDN Security
The findings in this section are to identify flaws in web application code. Vulnerabilities discovered here could lead to a compromise of a database or defacement of a website. These type of findings in this section are normally associated to the OWASP Top 10 vulnerabilities- Such as Cross-Site Scripting or SQL Injections.
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.
Scanning Process
NormShield uses what is called Open Source Intelligence (OSINT) to gather information. As seen in the following diagram, passive scan doesn't touch the target company assets. Instead we find all required data from the internet, including search engine caches, archive[.]org, internet-wide scanners, VirusTotal, PassiveTotal, hacker sites, paste sites, deep/dark web, etc.
Frequently Asked Questions (FAQ)
Why do we need vulnerability management?:
In order to reduce information security risks, the CUIT Security conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. CUIT may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers.
Does this replace the need for vulnerability management strategy?
No this service to identify the most critical findings but will not identify all vulnerabilities on a network. Additionally it will not have visibility into vulnerabilities on systems which are not internet accessible.
Which systems/services/applications may be scanned?:
Any assets which are accessible via the Internet and apart of the Columbia University Network.
When will vulnerability assessments be conducted?:
Scans occur once a month due to licensing cost of the service. We are limited to one scan a month to keep costs of the offering minimal.
How can I verify one of the findings has been fixed?:
This will be verified the next time the scan runs and is reported to you. We encourage you to use your own vulnerability scanner to check as well!
How can I report a false positive?:
Send an email to cybersec@columbia.edu with the following information
Exemption Type: Business Requirement or False Positive
Asset: Hostnames/ IP Address
Vulnerability: RHSA-2015:1330: python security, bug fix, and enhancement update
Remediation Step: Upgrade python
Timeframe: It will require 6 months of effort to rewrite the code and to the latest version of python (display if business requirements)
False Positive Notes: Nexpose is reporting on the kernel incorrectly. Vulnerability impacts version Y and the installed version is X. (display if false positive)
What data is collected and how will it be used?:
Vulnerability scanning and other passive detection capabilities will provide an inventory of vulnerabilities and the related criticalities. The vulnerability assessment processes will not aim to search the content of personal electronic files on the scanned systems unless they are exposed to the public. In addition, the vulnerability assessment processes should not cause network outages although system and application administrators may see log entries of the activity reflected in their logs.
What Information Security Policies, Strategies, and Standards is this based on?:
CUIT Security's minimum security standards form the basis of this program and requires that any system or application in scope be regularly assessed for security vulnerabilities:
Columbia University IT Policies and Strategies
https://cuit.columbia.edu/columbia-it-policies-strategies
Acceptable Usage Information Resources Policy
https://policylibrary.columbia.edu/acceptable-usage-information-resources-policy
Information Security Risk Management Policy
https://policylibrary.columbia.edu/information-security-risk-management-policy
Network Protection Policy
https://policylibrary.columbia.edu/network-protection-policy
Registration and Protection Endpoints Policy
https://policylibrary.columbia.edu/registration-and-protection-endpoints-policy
Registration and Protection Systems Policy
https://policylibrary.columbia.edu/registration-and-protection-systems-policy
My question is not listed here, what do I do next?:
Please Email cybersec@columbia.edu with any questions or feedback.