Information Security Office (ISO) primarily uses Tenable.sc(link is external) for network service vulnerability scanning. The Tenable scanners are generally run with a default configuration, including all "safe" checks (non-intrusive, unauthenticated, no printer scanning) available through Tenable's "ProfessionalFeed" service.
All scanning is initiated from the ISO scanning subnet, from IP addresses with DNS hostnames in the "security.berkeley.edu" subdomain. All scanners have hostnames that reflect their role, such as "sns-campus-scanner-1.security.berkeley.edu." If you detect scanning activity and are unsure if our scanner is the source, contact security-scanning@berkeley.edu(link sends e-mail) for verification.
Descriptions of current vulnerability scanning services:
Our network sensors passively monitor network traffic at the campus border. We use these sensors to determine when a campus IP address is online and using the network, then our network scanners attempt to determine if the host firewall is open to scanning. If so, we run a full Tenable scan of the host. The host IP address is then added to a list so it is not scanned again for at least one week. These scans run 24/7. However, scanning may be suspended without notice for periods of time due to staffing or operational issues.
To find additional hosts that do not communicate through the campus border we periodically run linear scans of all campus subnets, including scanning of the campus-routed RFC1918 IP addresses. The linear scans jobs generally reach a specific host no more than 1-2 times per month. If the host is online a full Tenable scan will be run, and hosts that are offline will not be scanned until the next cycle. Some campus subnets are scanned at a slower rate due to the presence of web services that are sensitive to normal scanning. These scans run 24/7. However, scanning may be suspended without notice for periods of time due to staffing or operational issues.
All IP addresses registered as containing sensitive data are scanned once daily with a full Tenable scan. The scan job begins at 10:00 pm nightly, including weekends, and takes approximately three to four hours to complete. A day scan window for protected data managed hosts, beginning at 10:00 am, is also available upon request.
We may launch additional scans of the campus network to look for specific vulnerabilities in response to new or serious threats. For example, if our sensors detect a significant number of attempts to exploit a vulnerable service, we may scan the campus for all instances of that service so administrators can take action before the host is compromised. These scans are run as needed and generally without prior notice, provided the scan job is lightweight and non-intrusive.
Departmental Security Contacts may request an account with the Tenable service so that administrators within the department can launch on-demand scan jobs of their IPs/subnets. These Departmental accounts are provisioned to include network assets registered to a specific Security Contact in the Socreg
registration app.
The ISO department subscribes to the Dorkbot Web App Scanning service provided by the University of Texas at Austin, Information Security Office. Dorkbot (https://security.utexas.edu/dorkbot(link is external)) hunts for SQL injection (SQLi), cross-site scripting (XSS), remote/local file inclusion, and other less common vulnerabilities, leveraging search engine cache and other public sources of indexed sites in the berkeley.edu domain. The scans from Dorkbot are designed to be low and slow and usually will not cause an operational impact. If you experience any performance problems as a result of these scans, please contact the provider (security@utexas.edu(link sends e-mail)) and request that your system be whitelisted. The Dorkbot scans will always source from 146.6.15.11 (autoscan.infosec.utexas.edu).
If you believe any ISO scanning activity is causing an operational problem with a campus device or service, please contact security-scanning@berkeley.edu(link sends e-mail). If the issue is urgent, follow the instructions in the confirmation notice to escalate the ticket priority and our staff will respond immediately. Please include any log data you have in your ticket, including the originating IPs, target IPs, and timestamps, as well as a description of the operational impact (service disruption, excessive load, etc.) Firewall alerts and "log noise" from scanning are to be expected and need not be reported.
While all our network scanning is designed to be non-intrusive, some scans may disrupt a service that is not patched or improperly configured. When reporting a possible scanning issue, make sure that the device/service is compliant with the campus Minimum Security Standards. If you cannot bring the device/service into compliance within 30 days, file an Minimum Security Standards Exception Request. Firewall rules can be used to temporarily block scanners while the service is brought into compliance.
Back to Campus-wide Network Vulnerability Scanning or Departmental Network Vulnerability Scanning
