UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for continuous vulnerability assessment and remediation.
Resource Custodians must implement authenticated scans for vulnerability assessment for core systems. Campus-provided scanning resources and campus-licensed software may be implemented to meet this requirement.
Attackers can discover and compromise covered data on devices that are not secured against vulnerabilities.
An authenticated scan is an essential tool to obtain accurate vulnerability information on covered devices by authenticating to scanned devices to obtain detailed and accurate information about the operating system and installed software, including configuration issues and missing security patches. The additional details provided by an authenticated scan allows resource proprietors and resource custodians to better mitigate risks on covered data and reduce the likelihood of successful attacks against covered devices. To ensure timely discovery of vulnerabilities on covered devices, authenticated scans should be executed at least once a month on covered devices, which include sysadmin and core devices. For additional guidance on managing vulnerability scanning programs such as remediation and scan metrics, please refer to Continuous Vulnerability Assessment and Remediation Guidelines.
The effectiveness of an authenticated scan often hinges on access to administrative credentials on covered devices. This requires adequate planning to addresses risks associated with handling and storing administrative credentials. The following practices should be carefully considered when implementing an authenticated scan program to mitigate such risks :
- Rather than using an existing user account, create a temporary operating system user account dedicated to executing authenticated scans to allow for more granular control. The temporary user account, which we will call scanner-account, must have administrative access to all covered devices to be scanned. For Unix based devices, scanner-account may need to be set up separately on each device to be scanned.
- Confirm that the scanner-account is able to authenticate to all the covered devices as expected.
- Do not use clear-text authentication protocols, such as telnet.
- Consider man-on-the middle attacks that might expose the scanner-account’s credentials. For instance, an attacker might set up an internal SSH server to which the scanner will authenticate and give up the username and password.
- Disable the scanner-account once the authenticated scan is completed. Keeping the scanner-account enabled only for the duration of the periodic authenticated scan will reduce the likelihood that scanner-account will be exploited for malicious purposes.
- Automate the tasks of enabling/disabling the scanner-account via scheduled scripts in between periodic authenticated scans.
- Restrict the host/ip address from which the scanner-account can be used. For example, when scanning Unix devices, only allow the scanner-account to login from the scanner's IP address. (Scanner being the server running the vulnerability scanner software.)
Authenticated Scan Software
- NIST Patch and Vulnerability Management Program Guidelines, http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf