UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling Institutional Information. The recommendations below are provided as additional guidance for requirement 9.3 Privileged Scan.
MSSEI Requirement 9.3 Privileged Scan:
Units must implement privileged scans for vulnerability assessment of high-risk P3, P4, and A4 IT Infrastructure and Individual Devices. Campus-provided scanning resources and campus-licensed software may be implemented for these scans.
- See the Authenticated Scan Guideline (this document) for details.
- For A4 devices, scanning a copy or hot standby of the system instead of the actual production system is acceptable to reduce the risk to the availability of the system.
Description of Risk
Attackers can discover and compromise covered data on devices that are not secured against vulnerabilities.
Recommendations
An authenticated scan (one run on the device itself) is an essential tool to obtain accurate vulnerability information about the operating system and installed software on covered devices, including configuration issues and missing security patches. The additional details provided by an authenticated scan allow IT Resource Proprietors and Service Providers to better mitigate risks to covered data and reduce the likelihood of successful attacks against covered devices. To ensure timely discovery of vulnerabilities, authenticated scans should be executed at least once a month on covered devices, which include high-risk P3, P4, and A4 IT Infrastructure and Individual Devices. For additional guidance on managing vulnerability scanning programs such as remediation and scan metrics, please refer to Continuous Vulnerability Assessment and Remediation Guidelines.
The recommended method to run authenticated scans against covered devices is using the campus-provided Nessus Agent.
Nessus Agent
The Nessus Agent is provided to administrators of Unix and Windows servers. The Agent is installed on the servers and then a scan is configured with the assistance of the Nessus administrators.
If you do not yet have a Nessus account, email security-scanning@berkeley.edu with your request for a departmental Nessus scanner account, indicating your departmental affiliation and security contact email address. Once you have an account, request the latest version of the Agent, as well as configuration details, to set up Nessus scans.
Credentialed Scans
In cases where the Nessus Agent cannot be installed on a server, it is possible to run scans that log in to an account with administrator-level privileges in order to gain detailed information on software and configurations present on the server. This is not currently recommended. Please contact security-scanning@berkeley.edu for further information.