Main menu (IT)

Vulnerability Management

Definition

A vulnerability is a security weakness that can be exploited. Vulnerability management is a process by which an organization identifies, classifies, prioritizes, and remediates vulnerabilities. The CSUN Information Security (IS) team performs vulnerability scans on CSUN’s servers and websites so the owners are made aware of any critical vulnerabilities that need to be remediated in a timely manner.

Website/Server Owner Responsibility

The website or server owners do not run the vulnerability scan. The owners are responsible for informing and requesting a vulnerability scan from the IS team when a new website or server is in process of deployment. Most importantly, the owners are responsible for patching and remediating any outstanding vulnerabilities.

Once the website or server is patched, the owner must request another scan to the IS team to ensure that the patches were appropriately installed. The website or server must not have any Urgent, Critical, or High vulnerabilities in order to be approved.

Information Security Responsibility

The IS team is responsible for running the scans, prioritizing the vulnerabilities, and providing scan report to the owners. The IS team monitors the compliance of the websites and servers, and may ask to remove the website or server from the network, if the vulnerabilities are not remediated in a timely manner.

When CSUN is notified of a critical patch released to fix a vulnerability, the Information Security Office will notify all affected owners of the necessity to implement the patch or remove the website/server from the network until the relevant patch is applied.

When to Scan?

Vulnerability scans must be performed:

  • Monthly
  • Before moving any new website, web application, or server into production. If your website is developed using CSUN’s Web-One template and published in Web-One infrastructure, a vulnerability assessment is not required.
  • Before moving any major upgrades and changes to the websites and servers in the production environment.

Vulnerability Management Process 

Vulnerability Management Process.

Request: Campus website and server owner will contact Information Security (IS) to perform a vulnerability scan by submitting a ticket to either Helpdesk or Information Security Dispatcher. Per CSU and CSUN policy, campus website and server owners must notify IS team of any major upgrade or change before migrating to the production. The IS team will need to run a vulnerability scan.

Scanning: The IS team does not run a vulnerability scan without the express permission of the server or website owner. Owners must provide IS team credentials to run an authenticated scan. An authenticated scan performs a deep vulnerability scan instead of surface scan. Many critical vulnerabilities are not identified with the surface scan. The IS team will make an effort to pick a date and time that is convenient with the server or website owner to run the scan.

Reporting: Upon completion of the scan, the IS team will share a report with the findings for review and mitigation. The report is shared only with the server or website owner via myCSUNbox folder.

Mitigation: The campus website and server owner must review the vulnerability scan report and remediate vulnerabilities in the timeframe listed below. If the website or server vulnerabilities are not addressed in the reference time below and continue to remain non-compliant, the website or server will be taken off the network.

Vulnerability Remediation Timeframe.

Vulnerability Remediation Timeframe (,pdf)   

Top 5 Website and Server Vulnerabilities

Website and Web Applications

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control

Servers

 Operating System
Windows based OSNIX based OS
  1. Remote code execution
  2. Unsupported Operating Systems
  3. Flawed or outdated third-party software
  4. Misconfigured servers
  5. Weak encryption
  1. Script kiddies on services with Web-based Interface 
  2. PHP Web applications misconfigurations (all top windows vulnerabilities apply here)
  3. Secure Shell(SSH)
  4. BIND Domain Name System
  5. Java

Related CSUN Policies and Standards