The IP scanning service is made in order to comply with the new AGID law that ensures at the point 4 [ABSC 4 (CSC 4): ASSESSMENT AND CONTINUOUS CORRECTION OF VULNERABILITY] the usage of automated vulnerability scanning service. The service acts as a support to technicians that manage servers/services in the University network that can have an idea (not in depth) of the security level of the machine.
17 May 2019
The “Nessus” software performs periodic scans for every IP address of Povo and Trento datacenters in order to create a list of vulnerabilities for every system. The scan is performed once a week (Tuesday at 8 am) and lasts about 2 hours. The time needed to scan a single machine is around 2-3 minutes.
After the scan, the system sends a technical report to the referred technician only if the system is affected by Critical or High vulnerabilities (the report contains also Medium, Low, Info vulnerabilities).
The role of the technician is to:
- update the systems and/or coordinate other administrator’s activities in order to update the entire systems;
- inform the manager regarding the risks connected to the vulnerabilities;
- inform the manager regarding critical issues regarding the updates necessary to correct the vulnerabilities;
- suggest alternative measures to mitigate the vulnerabilities;
The manager decides (in predefined times and in any case not later than 5 working days) if:
- proceed promptly with the update;
- postpone the update for all or certain vulnerabilities (planning alternative measures to mitigate the risks);
- exclude that all or some vulnerabilities will be resolved (planning alternative measures to mitigate the risks);
If the manager decides not to correct some (or all) the vulnerabilities, the system is still scanned and the manager can choose whether or not to continue sending notifications to the technician, however in that case also the new vulnerabilities notifications are disabled. In case the update is delayed, the CERT service must be noticed with the reason, including every person with decisional authority in the CC.
The technician can access independently to the knowledge made available from the Nessus software in order to evaluate the risks related to the vulnerability. The CERT staff remains available to help users estimate the real impact (and criticality) of vulnerabilities reported by the software. The CERT service is available to evaluate the criticality of the vulnerabilities and to share with the technician and/or manager the most appropriate actions. In any case, CERT reserves the right to evaluate the proposed motivations or corrective actions.
Abilitazione ad personam
The scanned system must be surveyed in the IPAM system (IP address management)