Information Security and Policy (ISP) uses two products for vulnerability scanning, Nessus for network service vulnerability scanning and AppScan for application scanning. The Nessus scanners are generally run with a default Nessus configuration, including all "safe" checks (non-intrusive, unauthenticated, no printer scanning) available through Tenable's "ProfessionalFeed" service.
All ISP scanning is initiated from the ISP scanning subnet, from IP addresses with DNS hostnames in the "security.berkeley.edu" subdomain. All ISP scanners have hostnames that reflect their role, such as "sns-campus-scanner-1.security.berkeley.edu". If you detect scanning activity and are unsure if an ISP scanner is the source, please contact email@example.com for verification.
Descriptions of current ISP vulnerability scanning services:
Scanning of online hosts
The ISP network sensors passively monitor network traffic at the campus border. We use these sensors to determine when a campus IP address is online and using the network, then our network scanners attempt to determine if the host firewall is open to scanning. If so, we run a full Nessus scan of the host. The host IP address is then added to a list so it is not scanned again for at least one week. These scans run 24/7; however, scanning may be suspended without notice for periods of time due to staffing or operational issues.
- Linear scans of the campus network
In order to find additional hosts that do not communicate through the campus border, ISP runs periodic linear scans of all campus subnets, includes scanning of the campus-routed RFC1918 IP addresses. The linear scans jobs will generally reach a specific host no more than 1-2 times per month. If the host is online a full Nessus scan will be run, and hosts that are offline will not be scanned until the next cycle. Some campus subnets are scanned at a slower rate due to the presence of web services that are sensitive to normal scanning. These scans run 24/7; however, scanning may be suspended without notice for periods of time due to staffing or operational issues.
- Sensitive data host scanning
All IP addresses registered as containing sensitive data are scanned once daily with a full Nessus scan. The scan job begins at 10pm nightly, including weekends, and takes approximately 3-4 hours to complete. A day scan window for RDM hosts, beginning at 10am, is also available upon request.
- Specialty scans for specific vulnerabilities
ISP may launch additional scans of the campus network to look for specific vulnerabilities in response to new or serious threats. For example, if our sensors detect a significant number of attempts to exploit a vulnerable service, we may scan the campus for all instances of that service so administrators can take action before the host is compromised. These scans are run as needed and generally without prior notice, provided the scan job is lightweight and non-intrusive.
- Departmental scanning service
Departmental security contacts may request an account with the ISP Nessus service, so that administrators within the department can launch on-demand scan jobs of their IPs/subnets. Security contacts with these accounts can also request a weekly scan of their IPs/subnets, with results delivered as an encrypted email report. These weekly scan jobs are run at different days and times, as requested by the department security contact.
- Application scanning
In addition to Nessus scanning, ISP operates an IBM AppScan application vulnerability scanner. This scanner targets web-based applications and checks for application layer vulnerabilities that may lead to system compromise, defacement, or unauthorized access to data. Due to the intrusive nature of application scanning, the scans are performed in coordination with developers and technical staff within the department, and target development environments whenever available.
If you believe any ISP scanning activity is causing an operational problem with a campus device or service, please contact firstname.lastname@example.org. If the issue is urgent, follow the instructions in the confirmation notice to escalate the ticket priority and ISP staff will respond immediately. Please include any log data you have in your ticket, including the originating IPs, target IPs, and timestamps, as well as a description of the operational impact (service disruption, excessive load, etc.) Firewall alerts and "log noise" from scanning are to be expected and need not be reported.
While all ISP network scanning is designed to be non-intrusive, some scans may disrupt a service that is not patched or improperly configured. When reporting a possible scanning issue to ISP, make sure that the device/service is compliant with campus Minimum Security Standards. If you cannot bring the device/service into compliance within 30 days, file an MSS Exception Request. Firewall rules can be used to temporarily block ISP scanners while the service is brought into compliance.