As part of a comprehensive information security program, the campus Security Operations Center (SOC) regularly scans the campus IP address space looking for host systems with vulnerabilities. Vulnerabilities are software or configuration defects that allow an attacker to gain control of a system or disrupt its normal operations.
Critical vulnerabilities are generally those that will let an attacker with network access to a computer completely take control of the system by allowing the attacker to run arbitrary code as at elevated privilege. In IT security circles this is referred to as “pwning” a system. The attacker can use it to steal data, disrupt operations, or use the system as a jumping-off/pivot point to attack other systems behind otherwise closed networks. In this way, a critically vulnerable system puts the entire university at risk.
Vulnerabilities rated as high severity may be more difficult to exploit and may give an attacker less control of a system, but they can severely compromise the system, allow data to be stolen or modified, and disrupt normal operations.
When a vulnerable system is detected, the SOC notifies the administrators of the subnetwork to which the vulnerable system is connected. Their role is to identify the vulnerable system, identify the system owner, and ensure that the vulnerability is removed, usually by patching. They have a responsibility to remove network access to systems based on compromise or known vulnerabilities.
In some situations, vulnerable systems can not be patched or updated. In these situations, a risk acceptance may be requested when alternate mitigation or mitigations have been employed, documented, and accepted by the hosting department or CISO as defined by system policy (IS-3).
A risk acceptance for a critical or high vulnerability on a system may exist for no longer than 12 months, at which point it may be renewed upon confirmation from the hosting department that the same conditions exist as to when the risk acceptance entry was created. Note that these risk acceptance entries do not prevent the system from being scanned by the vulnerability scanner on a regular basis; the risk acceptance entry creates an exception in the reporting of a specific vulnerability on a specific system during the acceptance time period.