Information Security Office (ISO) primarily uses Tenable.sc for network service vulnerability scanning. The Tenable scanners are generally run with a default configuration, including all "safe" checks (non-intrusive, unauthenticated, no printer scanning) available through Tenable's "ProfessionalFeed" service.
All scanning is initiated from the ISO scanning subnet, from IP addresses with DNS hostnames in the "security.berkeley.edu" subdomain. All scanners have hostnames that reflect their role, such as "sns-campus-scanner-1.security.berkeley.edu." If you detect scanning activity and are unsure if our scanner is the source, contact firstname.lastname@example.org for verification.
Descriptions of current vulnerability scanning services:
Scanning of online hosts
Our network sensors passively monitor network traffic at the campus border. We use these sensors to determine when a campus IP address is online and using the network, then our network scanners attempt to determine if the host firewall is open to scanning. If so, we run a full Tenable scan of the host. The host IP address is then added to a list so it is not scanned again for at least one week. These scans run 24/7. However, scanning may be suspended without notice for periods of time due to staffing or operational issues.
Linear scans of the campus network
To find additional hosts that do not communicate through the campus border we periodically run linear scans of all campus subnets, including scanning of the campus-routed RFC1918 IP addresses. The linear scans jobs generally reach a specific host no more than 1-2 times per month. If the host is online a full Tenable scan will be run, and hosts that are offline will not be scanned until the next cycle. Some campus subnets are scanned at a slower rate due to the presence of web services that are sensitive to normal scanning. These scans run 24/7. However, scanning may be suspended without notice for periods of time due to staffing or operational issues.
Sensitive data host scanning
All IP addresses registered as containing sensitive data are scanned once daily with a full Tenable scan. The scan job begins at 10:00 pm nightly, including weekends, and takes approximately three to four hours to complete. A day scan window for protected data managed hosts, beginning at 10:00 am, is also available upon request.
Specialty scans for specific vulnerabilities
We may launch additional scans of the campus network to look for specific vulnerabilities in response to new or serious threats. For example, if our sensors detect a significant number of attempts to exploit a vulnerable service, we may scan the campus for all instances of that service so administrators can take action before the host is compromised. These scans are run as needed and generally without prior notice, provided the scan job is lightweight and non-intrusive.
Departmental scanning service
Departmental Security Contacts may request an account with the Tenable service so that administrators within the department can launch on-demand scan jobs of their IPs/subnets. These Departmental accounts are provisioned to include network assets registered to a specific Security Contact in the Socreg
Dorkbot Web App Scanning
The ISO department subscribes to the Dorkbot Web App Scanning service provided by the University of Texas at Austin, Information Security Office. Dorkbot (https://security.utexas.edu/dorkbot) hunts for SQL injection (SQLi), cross-site scripting (XSS), remote/local file inclusion, and other less common vulnerabilities, leveraging search engine cache and other public sources of indexed sites in the berkeley.edu domain. The scans from Dorkbot are designed to be low and slow and usually will not cause an operational impact. If you experience any performance problems as a result of these scans, please contact the provider (email@example.com) and request that your system be whitelisted. The Dorkbot scans will always source from 18.104.22.168 (autoscan.infosec.utexas.edu).
If you believe any ISO scanning activity is causing an operational problem with a campus device or service, please contact firstname.lastname@example.org. If the issue is urgent, follow the instructions in the confirmation notice to escalate the ticket priority and our staff will respond immediately. Please include any log data you have in your ticket, including the originating IPs, target IPs, and timestamps, as well as a description of the operational impact (service disruption, excessive load, etc.) Firewall alerts and "log noise" from scanning are to be expected and need not be reported.
While all our network scanning is designed to be non-intrusive, some scans may disrupt a service that is not patched or improperly configured. When reporting a possible scanning issue, make sure that the device/service is compliant with the campus Minimum Security Standards. If you cannot bring the device/service into compliance within 30 days, file an MSS Exception Request. Firewall rules can be used to temporarily block scanners while the service is brought into compliance.