Proactive Vulnerability Management

University IT systems and networks constantly face the threat of malicious actors attempting to breach them. The staff and faculty responsible for managing these systems must ensure that software and systems are regularly patched and kept current to prevent security vulnerabilities. Besides being a best security practice, this is also mandated by the university’s Vulnerability and Patch Management Policy. 

The Information Security Office’s Vulnerability Management Program (VMP) assists system owners in establishing their vulnerability scanning. The VMP team provides the scanning platform necessary for discovery, vulnerability, and web application scans to ensure policy compliance. They also offer consulting to support service owners. VMP team members James Fierro and Sean Engelsen help resource owners understand the scanning process and how results lead to meaningful security improvements. James says, “Our goal is to make vulnerability management approachable and actionable, not overwhelming.”

The team’s first step, however, is the Network Ownership and Visibility Initiative (NOVI). University IT resources, their uses, and the staff managing them are constantly evolving. The VMP team needs to know who a network or application owner is. 

Steve Hicks explains that once an owner is identified, the VMP team collaborates with them to clarify what they oversee. The team helps the system owner set up network scanning and configure it for a discovery scan that inventories connected devices on the owner’s networks. Steve’s main concern is, “As IT and information security professionals, we cannot protect what we can’t see or know about.”

The next step involves fine-tuning for more thorough scanning to identify any issues. Is there anything that needs to be patched or upgraded? Are there problems with the operating system? Applications with outdated components? Ports or services that are no longer necessary? 

The VMP team helps the system owners focus their efforts and prioritize between the most problematic results and the simpler solutions. Sonia Nazaroff explains that they are “not pointing fingers, it’s about partnership.” They offer recommendations in a manner that works for the owner’s environment while adhering to policy.

The policy involves scanning networks on a regular schedule. The scans can be performed automatically based on risk, and VMP professionals can help system owners set it up and maximize the benefits. 

In addition to the system owner outreach work the VMP team does via NOVI, they also take referrals from Dayon Harris with the Information Security Assessments of Compliance program (read more about ISAC). The VMP team hosts regular office hours and remains available after hours to answer questions, so service owners are not left trying to figure out vulnerability management on their own.

Sonia says, “Over the last few years, we've built strong relationships across campus, and that collaboration has been one of the most rewarding parts of VMP. We genuinely enjoy working with resource owners and look forward to continuing to grow those relationships as the VMP evolves.” 

This article is the second in a series of three stories highlighting Information Security Office programs dedicated to helping system owners keep campus IT resources secure.