When any internal system or external security service identifies a definite or potential vulnerability in a UAH information system, the Vulnerability Management procedure below must be followed.
Vulnerability Management Process
The Vulnerability Management process consists of the five phases:
- Discovery
- Prioritization
- Planning
- Remediation
- Validation
Discovery Phase
During the discovery phase, vulnerabilities are identified using available tools including but not limited to Crowdstrike Spotlight, Nessus, and Shodan.
Crowdstrike
Crowdstrike will be configured to continuously monitor all UAH connected systems except for those subnets and systems specifically excluded from the vulnerability management process. Examples of exclusions include:
- Resnet
- Security camera subnets
- Wireless device subnets set aside for students
Specific exceptions will be defined in the Crowdstrike solution and must be approved by the CISO or CIO.
The CISO or designee will review the Crowdstrike Asset Inventory monthly to address any unmanaged or orphaned assets. Any identified assets will be provided to OIT or Local Support Provider staff to ensure Crowdstrike is installed on appropriate systems.
Tenable
Tenable should be used for hosts which cannot install the Crowdstrike agent or have received special dispensation from the CIO or CISO to not have the agent installed.
Tenable should be configured to scan the systems at least weekly with the results uploaded in human-readable format to a shared drive that can be accessed by OIT and Local Support Providers.
Shodan/External Scanners
Shodan/External Scanners should be used for hosts which are exposed publicly to networks outside of UAH control. These scanners should be configured to scan the systems at least weekly with the results uploaded in human-readable format to a shared drive that can be accessed by OIT and Local Support Providers.
Other
Vulnerabilities could be reported via other means such as a help desk ticket, email, chat message, or in person. In these instances, the person should report the vulnerability to the CISO and CIO for proper prioritization and remediation.
Prioritization Phase
Once the vulnerability scan completes, OIT Cyber personnel will review, assess and prioritize the results from the Crowdstrike and Nessus automated tools.
Vulnerabilities will be classified according to severity of the vulnerability and risk to the UAH environment. These levels are determined via a mixture of automated processes utilizing external data sources such as Common Vulnerability Scoring System (CVSS) Scores, insight from external data sources regarding current exploits being utilized by malicious actors, and research by cybersecurity personnel.
Vulnerabilities will be classified as critical, high, medium, and low severity based on the estimated risk to the UAH environment.
The vulnerability classification levels are as follows:
- Critical vulnerabilities have one or more of the following characteristics:
- Defined as Critical by the scanning tool
- Exploitation of the vulnerability will likely result in a root-level or administrator-level compromise of UAH IT systems
- Defined as High by the scanning tool and the system may be accessed directly from the Internet
- Defined as High by the scanning tool and the information system stores or processes sensitive or confidential data as defined by the Protection of Data Policy (06.01.01).
- High vulnerabilities have one or more of the following characteristics:
- Defined as High by the scanning tool and the system is not accessible from the Internet
- Defined as High by the scanning tool and the system does not store or process sensitive or confidential data as defined by the Protection of Data Policy
- Defined as Medium by the scanning tool and the system is accessible from the Internet
- Defined as Medium by the scanning tool and the system stores or processes sensitive or confidential data as defined by the Protection of Data Policy.
- Medium vulnerabilities have one or more of the following characteristics:
- Defined as Medium by the scanning tool and the system is not accessible from the Internet
- Defined as Medium by the scanning tool and the system does not store or process sensitive or confidential data as defined by the Protection of Data Policy
- Defined as Low by the scanning tool and the system is accessible from the Internet
- Defined as Low by the scanning tool and the system stores or processes sensitive or confidential data as defined by the Protection of Data Policy.
- All other vulnerabilities will be classified as Low
If there are conflicting or unclear severity levels, consult the CISO for guidance.
By default resources will be brought to bear on vulnerabilities in the following order: Critical, High, Medium, Low. Many vulnerabilities can be worked in parallel so there is no need to remediate all Critical vulnerabilities prior to moving on to the High vulnerabilities, and so on down the priority scale.
The Cybersecurity staff will document all vulnerabilities sent out as part of notifications to the OIT staff, Local Support Providers, system owners, or application owners. This documentation will be maintained in a Google spreadsheet and this spreadsheet will be used to track compliance with remediation requirements.
Planning Phase
During the planning phase, OIT personnel will work with Local Support Providers and/or the system and application owners to devise a vulnerability mitigation solution that can be executed with minimal impact to the system/application and its users and still meet remediation timeline requirements. The preferred solution is to utilize a vendor-supplied patch or upgrade to a version of the software/application/operating system that is not vulnerable to the discovered vulnerability. Should such a patch not be available, the CISO will work with system and application owners to devise appropriate compensating controls that can be put in place until such a patch is released.
If during the planning phase it is determined with certainty that the identified vulnerability is not present on the system, the vulnerability will be treated as a false positive and annotated as such in the vulnerability management system.
Crowdstrike routinely provides recommended vulnerability mitigation solutions as part of its vulnerability identification process. These solutions will be considered prior to other possible remediation solutions.
Whenever possible, centralized technical solutions such as Microsoft Endpoint Configuration Manager (ECM), WSUS, Ansible, and JAMF should be used to deploy necessary patches and remediations. Where this is not possible, Cybersecurity will provide Local Support Providers and/or the system and application owners a list of discovered vulnerabilities and recommended remediations by risk classification level.
Remediation Phase
During the remediation phase, mitigation efforts are executed on systems with vulnerabilities.
During the remediation phase, OIT personnel, Local Support Providers, and/or system and application owners must perform one or more of the following activities to mitigate the vulnerability (listed in order of preference):
- Utilize a vendor-supplied patch or upgrade to a version of the software/application/operating system that is not vulnerable to the discovered vulnerability
- Deploy a mitigating control with CISO approval
- Disconnect the system from the Internet and all UAH wired and wireless networks.
- Remove or discontinue use of the affected systems/applications
Remediation for the vulnerability findings should be mitigated and validated within the following time-frame from initial notification (first date of manual or automated notification of the presence of the vulnerability to OIT, Local Support Providers, or system or application owner).
|
Vulnerability Classification Level
|
Default Time to Remediate
|
|
Critical
|
7 days
|
|
High
|
14 days
|
|
Medium
|
30 days
|
|
Low
|
90 days
|
Vulnerability remediation times may be adjusted for unique vulnerabilities in situations where there are unacceptable levels of additional risk due to the presence of the vulnerability or when compensating controls have been identified, approved, and implemented. Such decisions shall be made jointly by the CISO and CIO and any such decisions will be included as part of the vulnerability notification process.
Failure to remediate systems in the timeframe defined for that vulnerability will result in action taken by OIT to protect UAH assets. These actions may include forced remediation of the vulnerability from a centralized solution, removal of the system from the network, or other appropriate actions as determined by the CIO and CISO.
For systems that are under the OIT change management process, Cyber personnel will submit a single change request detailing the upgrade required across UAH systems unless an emergency change is necessary due to an ongoing incident or an immediate need to reduce risk.
Validation Phase
During the validation phase, cybersecurity personnel verify successful vulnerability remediation via subsequent analysis of the IT asset using automated tools when possible and manual tools when it is not. Successful remediation is defined as technical or manual verification that the system is no longer vulnerable to the previously identified vulnerability.
Any successfully remediated vulnerabilities are annotated as such on the Cybersecurity Vulnerability Tracking tool.
If remediation has occurred and the change is not reflected in a subsequent validation scan, OIT staff, Local Support Providers, or the system/application owner will notify the CISO via email at ciso@uah.edu to determine appropriate next steps.
Related Resources