Vulnerability

Security Assessment Tools

Security Assessment Tools

The following tools should be used in combination to conduct security assessments.













Tool

Description

Rapid 7 Nexpose (RIT Enterprise Licensed by ISO)

Unified vulnerability management enterprise solution

Nessus

Network Vulnerability Scanner

CIS Score

Security Consensus Operational Readiness Evaluation provides various security checklists.

Secunia Vulnerability Scanners

Secunia Software Inspectors provide detection and assessment of missing security patches and end-of-life programs.

Microsoft Baseline Security Analyzer (MBSA)

MBSA helps determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.

Nipper

Nipper enables network administrators, security professionals and auditors to quickly produce reports on key network infrastructure devices.

Scrawlr

HP SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities.

Core Impact

Penetration testing software

Qualys

Provides a suite of tools for:

  • Vulnerability Management
  • Policy Compliance
  • PCI Compliance
  • Web Application Scanning

NMAP

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.

BidiBlah

The BiDiBLAH utility is a framework that can be used to assist in automating existing vulnerability assessment tools

 

Server Security Standard

Server Security Standard

The Server Standard provides requirements for server configuration and use at RIT.

A list of ISO-approved security assessment tools, HIPS programs, secure protocols, and a sample trespassing banner can be found in the Technical Resources

What does the standard apply to?

All servers (including production, training, test, and development) and the operating systems, applications, and databases as defined by this standard.

The standard does not apply to individual student-owned servers or faculty-assigned student servers for projects; however, administrators of these servers are encouraged to meet the Server Standard.

Recommended Strong Authentication Practices

The RIT Information Security Office recommends that all systems requiring strong authentication

  • comply with RIT's password and authentication standard (REQUIRED)
  • use a complex password of 12 or more characters. Fifteen or more characters are preferred.
  • use multi-factor authentication such as:
    • tokens
    • smart cards
    • soft tokens
    • certificate-based authentication (PKI)
    • one-time passwords (OTP)
    • challenge / response systems
    • biometrics

Approved Vulnerability Scanners

Nessus, Nexpose, and NMap are approved for scanning servers at RIT. For information on the scanning conducted by the RIT Information Security Office see the Vulnerability Management Program at RIT.

Approved Encryption Methods

See Encryption at RIT for approved encryption methods.

Server Security Standard

 

Vulnerability Management Program at RIT

Vulnerability Management Program at RIT

In order to reduce information security risks, the RIT Information Security Office (ISO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. In addition, the ISO may scan as needed for vulnerabilities that are under attack.

What is RIT scanning for?

The vulnerability assessments will include scans of communication services, operating systems, and applications to identify high-risk system weaknesses that could be exploited by intruders. These exploits have the potential to compromise the confidentiality, integrity or availability of RIT information resources.

Which computers may be scanned?

All computers connected to the Institute campus network, including but not limited to those located in the residence halls as well as remote computers accessing the RIT network through VPN may be scanned. The Network Security Standard requires that any system connecting to the network must be scanned regularly for hosts that are vulnerable to remotely exploitable attacks.

What information is obtained and how will it be treated?

Vulnerability scanning will provide an inventory of vulnerabilities and their criticality. This information will be treated as RIT Confidential. The scans will not search the content of personal electronic files on the scanned computers. In addition, the scans should not cause network outages although systems administrators may see log entries of the scans reflected in their logs.

How will critical vulnerabilities be handled?

If critical vulnerabilities are identified, the ISO will work collaboratively with the responsible systems administrator or team to address the vulnerabilities. If the critical vulnerabilities remain unaddressed after successive scans and there is no acceptable plan to address them, the ISO will initiate a conversation between the systems administration team and the information steward of that organization. The ISO intends to work collaboratively with systems administration teams and their information stewards to improve the security posture of their organization.

Subscribe to RSS - Vulnerability