Management

Security Assessment Tools

Security Assessment Tools

The following tools should be used in combination to conduct security assessments.













Tool

Description

Rapid 7 Nexpose (RIT Enterprise Licensed by ISO)

Unified vulnerability management enterprise solution

Nessus

Network Vulnerability Scanner

CIS Score

Security Consensus Operational Readiness Evaluation provides various security checklists.

Secunia Vulnerability Scanners

Secunia Software Inspectors provide detection and assessment of missing security patches and end-of-life programs.

Microsoft Baseline Security Analyzer (MBSA)

MBSA helps determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.

Nipper

Nipper enables network administrators, security professionals and auditors to quickly produce reports on key network infrastructure devices.

Scrawlr

HP SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities.

Core Impact

Penetration testing software

Qualys

Provides a suite of tools for:

  • Vulnerability Management
  • Policy Compliance
  • PCI Compliance
  • Web Application Scanning

NMAP

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.

BidiBlah

The BiDiBLAH utility is a framework that can be used to assist in automating existing vulnerability assessment tools

 

Threat Management

In order to reduce information security risks, the RIT Information Security Office (ISO) actively works to identify threat agents that are seeking to exploit vulnerabilities in the environment.   This  consist of scanning network traffic for threats.  For more information please contact the Information Security Officer.
Current Internet Threats

Vulnerability Management Program at RIT

Vulnerability Management Program at RIT

In order to reduce information security risks, the RIT Information Security Office (ISO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. In addition, the ISO may scan as needed for vulnerabilities that are under attack.

What is RIT scanning for?

The vulnerability assessments will include scans of communication services, operating systems, and applications to identify high-risk system weaknesses that could be exploited by intruders. These exploits have the potential to compromise the confidentiality, integrity or availability of RIT information resources.

Which computers may be scanned?

All computers connected to the Institute campus network, including but not limited to those located in the residence halls as well as remote computers accessing the RIT network through VPN may be scanned. The Network Security Standard requires that any system connecting to the network must be scanned regularly for hosts that are vulnerable to remotely exploitable attacks.

What information is obtained and how will it be treated?

Vulnerability scanning will provide an inventory of vulnerabilities and their criticality. This information will be treated as RIT Confidential. The scans will not search the content of personal electronic files on the scanned computers. In addition, the scans should not cause network outages although systems administrators may see log entries of the scans reflected in their logs.

How will critical vulnerabilities be handled?

If critical vulnerabilities are identified, the ISO will work collaboratively with the responsible systems administrator or team to address the vulnerabilities. If the critical vulnerabilities remain unaddressed after successive scans and there is no acceptable plan to address them, the ISO will initiate a conversation between the systems administration team and the information steward of that organization. The ISO intends to work collaboratively with systems administration teams and their information stewards to improve the security posture of their organization.

PIMI Overview

Private Information Management Initiative (PIMI) Overview

The Private Information Management Initiative seeks to identify and reduce the amount of Private Information found on RIT computers and storage devices. Private information is information that is typically used to conduct identity theft and may include Social Security Numbers (SSNs), credit card numbers, driver’s license numbers, bank account information, etc.

Reducing the amount of Private Information (PI) will help safeguard the RIT community against identity theft and will help RIT comply with relevant state and federal laws. 

Goals

  1. Increase awareness of the importance of safeguarding all private information, not just SSNs
  2. Increase awareness of the existing RIT policies that address private information
  3. Increase sense of individual accountability and responsibility in the area of policy compliance surrounding private information and a related understanding of the consequences for noncompliance
  4. Effective destruction of non-approved and unnecessarily retained private information (paper and electronic forms) from business units and employee offices
  5. Integration of the Records Management Policy into everyday employee activities

Representation

The RIT Information Security Office is leading this initiative with the assistance of project team representatives from each college and division. The representatives include:

  • An Information Steward/Management Representative who will receive reports detailing the location of Private information and will lead remediation efforts of Private information found in electronic and paper forms.
  • A Technical Representative who will assist in inventorying computers assigned to the respective college or division and will assist the Information Steward/Management Representative in remediation efforts.
  • Current list of representatives

What to Expect

The RIT Information Security Office is working with various RIT organizations to identify the location of SSNs and other Private Information by providing a software tool (Identity Finder) that will scan computers and attached drives to determine if they contain Private information. When Identity Finder finds suspected Private information, it provides a report to the computer user and the RIT Information Security Office. The software also provides the computer user with tools to erase (shred) the information securely or to remove (scrub) the private information from the files.

Scans will be initiated by the Identity Finder server in the Information Security Office. Computer users may also initiate an on-demand scan at their convenience. Identity Finder is licensed for use on RIT-owned computers and is currently available for Windows and Macs.

For More Information

For more information, contact your PIMI representative.

Ben Woelk
PIMI Project Manager
585.475.4122
ben.woelk@rit.edu

Links:

 

Information Security at RIT

Information Security at RIT

Risk Management Framework

RIT has applied a risk management approach to information security.  In order to manage information security risks, RIT attempts to:

  • Assess risks to identify and prioritize the greatest information security risks
  • Prevent information losses through policies/standards/guidelines, technical controls and education/training/awareness.
  • In the event of a loss, RIT seeks to minimize that loss through incident response, business continuity, and disaster recovery. When it is unclear whether a loss has occurred, RIT will conduct a forensics investigation.
  • In the event of a loss, RIT seeks to protect the RIT community from harm through risk management and insurance practices.
  • RIT regularly evaluates  information security through information security reviews and audits.

Step 1: Risk Assessment

Risk assessment (step 1)

Information security risk is created by the confluence of three major drivers: assets, vulnerabilities, and threats. In order to understand information security risk, it is necessary to understand the current and future state of each of these elements.  In order to minimize risk, it is necessary to manage assets, vulnerabilities, and threats through formalized programs.

Step 2: Loss Prevention

loss prevention (step 2)

Step 3: Loss Control

Loss Control is accomplished through initiatives in the following areas:

Step 4: Loss Financing

Loss Financing transfers risks to third parties through:

  • Contracts
  • Insurance
  • Self-Insurance

Step 5: Evaluation

Evaluation is provided through:

  • An exception process to manage Residual Risk
  • Metrics and reporting
  • Audit support

Structure and Resources

Distributed roles and responsibilities

  • Extended Team
  • PIMI Business and Technical Reps
  • System and application administrators
  • End users

Co-op Program

  • 2 engineering co-ops plus part time
  • 1 communications co-op
 
For more information, contact us at infosec@rit.edu
Subscribe to RSS - Management