Changes to Vulnerability Management - Risk Acceptance Process

Summary

Network or security contacts for a campus subnet and system administrators should read the entire message below as it will impact your role significantly.

Security or network contacts will need to apply for a risk acceptance for systems with vulnerabilities CVSS-rated critical or high if the vulnerabilities cannot be remediated within two weeks of first notice from the SOC. More information is available at www.it.ucsb.edu/vulnerability-management. Systems with vulnerabilities older than two weeks that do not have a risk acceptance are subject to removal from the network beginning July 6, 2020.

Details

The campus Security Operations Center (SOC) regularly scans the campus IP address space looking for host systems with vulnerabilities. Vulnerabilities are software or configuration defects that allow an attacker to gain control of a system or disrupt its normal operations.

Critical vulnerabilities are generally those that will let an attacker with network access to a computer completely take control of the system by allowing the attacker to run arbitrary code at an elevated privilege. In IT security circles this is referred to as “pwning” a system. The attacker can use it to steal data, disrupt operations, or use the system as a jumping-off/pivot point to attack other systems behind otherwise closed networks. In this way, a critically vulnerable system puts other parts of the university at risk.

Vulnerabilities rated as high severity may be more difficult to exploit and may give an attacker less control of a system, but they can severely compromise the system, allow data to be stolen or modified, and disrupt normal operations. A network-based high severity vulnerability can give an attacker a foothold on a system that the attacker can use to elevate privileges using a different vulnerability. Hence they too warrant attention. A recent network scan revealed 452 devices with either critical or high rated vulnerabilities. This is representative of scans over the past several weeks.

When a vulnerable system is detected, the SOC notifies the network contacts of the subnetwork to which the vulnerable system is connected. Their role is to identify the vulnerable system, identify the system owner, and ensure that the vulnerability is removed, usually by patching. They have the responsibility to remove network access to systems based on compromise or known vulnerabilities. Subsequent scans will verify that the vulnerability has been remediated or the vulnerable device removed from the network. 

In some situations, vulnerable systems cannot be patched or updated. In these situations, a risk acceptance may be requested by a network or security contact when alternate mitigation or mitigations have been employed, documented, and accepted by the hosting department and the CISO. An example of alternate mitigation is limiting the devices that can connect with the vulnerable system via network access controls or similar methods. 

The SOC has developed a process to manage risk acceptance for systems with a critical or high vulnerability (or vulnerabilities).  A risk acceptance for a critical or high vulnerability on a system may exist for no longer than 12 months, at which point it may be renewed upon confirmation from the hosting department that the same conditions exist as were present when the risk acceptance entry was created.  

Note that these risk acceptance entries do not prevent the system from being scanned by the vulnerability scanner on a regular basis; the risk acceptance entry creates an exception in the reporting of a specific vulnerability on a specific system during the time period that the risk acceptance is in place. Also note that the risk acceptance is for a particular vulnerability on a system, not for the system as a whole. If a system has multiple vulnerabilities that cannot be corrected, they will each need to be listed on the risk acceptance request.

If your system has an existing exception, please use the new process to resubmit your request for risk acceptance. The standard message sent to security and network contacts notifying them of vulnerable systems will be updated to reflect this new process. 

Systems with critical or high vulnerabilities two weeks after notification, and without an approved risk acceptance, are subject to removal from the network through a network block/null-route.

For more information on vulnerability scanning and vulnerability management Risk Acceptance process, please see:

The new process will be bootstrapped beginning the week of June 8, 2020. The SOC will issue a report showing all systems with critical and high vulnerabilities and what specific vulnerabilities exist for each. Network administrators or security contacts will have 4 weeks to remediate the systems or request a risk acceptance. For new vulnerabilities identified beginning the following and all subsequent weeks, the time period to remediate a vulnerability or request a risk acceptance will be two weeks.

As part of the bootstrap process, and absent a compelling reason like specific vulnerability exploits in the wild, the SOC will not begin proactive removal of vulnerable systems from the network until at least July 6, 2020. In the interim, please review your outstanding tickets to determine which systems for which you should request a risk acceptance.

Thanks to our staff for the help to remediate vulnerable systems. That help will now extend to helping the University understand the vulnerability risk that we cannot remediate.