Vulnerability Scanning and Blocking of Unremediated Systems

Vulnerability management is the process of discovering and remediating or mitigating security weaknesses in the U-M computing environment. ITS Information Assurance (IA) provides units access to Tenable Vulnerability Management and the Tenable agent, which empower units to:

  • Create, edit, and run Tenable scans.
  • Specify unique group parameters for system scanning (e.g., MyCampusUnit Windows Servers, MyCampusUnit Linux Servers, MyCampusUnit Workstations).
  • View and analyze results from their scans.
  • Obtain a high-level or granular view of scan results.
  • Control who in their unit has access to Tenable scan results.

While Tenable provides proactive detection of vulnerabilities on U-M systems, it is essential that units take action to remediate vulnerabilities that are found during scanning in a timely manner. They should patch or remediate a vulnerability as soon as they are aware of it.

The U-M IT standard for Vulnerability Management (DS-21) spells out the timelines that units are expected to meet when addressing vulnerabilities on their systems. It provides timeframes for expected remediation of vulnerabilities rated as high (7-8.9) and critical (9-10) on the NIST Common Vulnerability Scoring System (CVSS). Systems with high or critical vulnerabilities that are not addressed in the timeframe set in the standard are subject to being blocked from access to the U-M network.

To that end, IA has begun to block systems with the most critical vulnerabilities that have not been remediated within the appropriate time period. In this case, IA will notify the SUL and IT director of a unit when a system in their unit:

  • Is open to the internet.
  • Has one or more vulnerabilities with a score of 10 on the CVSS.
  • Vulnerabilities have gone more than 120 days without patching or mitigation.

IA can provide assistance with enrolling in or using Tenable, or with addressing vulnerabilities found during scanning. For help, please submit a service ticket and mention vulnerability scanning.