Vulnerability Scans

Service Summary

UC Santa Cruz’s Information Security Service Team provides services to guide UCSC service providers in securing their systems and applications, and minimizing risk.

Scan results can help identify vulnerabilities, prioritize areas for improvement, and support audits and compliance requirements. Our enterprise scan engine is updated daily or more frequently, to ensure we are scanning based on the latest intelligence for emerging threats.

Vulnerability scans and reports are available on request for systems and applications.

Though they share the same purpose -- to qualify and prioritize risk -- a vulnerability scan is not a penetration test. Vulnerability scanning enumerates known software vulnerabilities on a system and prioritizes them according to guessed likelihood, and impact, of exploitation. Penetration testing requires an actual attempt to exploit those vulnerabilities, to prove the guess.

Features & Functions

Vulnerability Scans can be done in two ways:

  1. Authenticated scans of a system or application. Login credentials for a non-administrative user are required for this scan. UCSC Sundry accounts can be used for this purpose. This scan enumerates all software and services residing on the scanned host. This is the recommended scan type.
  2. Unauthenticated scans of a system or application. Login credentials are not used, so this scan will only review externally visible services and will not compare a list of all installed software to known vulnerabilities. This scan also has a higher rate of false positives.

Reports: Results of the scan are provided to the requester and the Service Manager, who must then work with their service providers to confirm false positives and remediate confirmed vulnerabilities.

Consultation: A Service Manager and/or Service Providers may request consultation with IT Security to discuss the scan results and resultant risk ratings, and how to investigate and confirm if false positives exist. Consultations may include penetration testing and are handled using the ITS Project Management methodology. Costs (charge-back) may be incurred for any type of consultation.

Requirement to Re-Scan: Systems or applications with high-risk vulnerabilities, and systems showing evidence of a data breach, must be re-scanned after remediation to demonstrate that the identified vulnerabilities have been eliminated. Security will also re-scan other systems and applications upon request to confirm vulnerabilities have been addressed.

Eligibility for Service

University owned, managed or affiliated systems are eligible for vulnerability scans.

Requesting the Service

Vulnerability Scans  for web facing devices can be requested via this link to IT Request Vulnerability Scan  - Network. Vulnerability Scans for devices within a closed network can be requested via this link to IT Request Vulnerability Scan - Dept.

Your IT Request will be assigned within 8 working hours. You will be contacted for additional information if needed.

Availability, Metrics & Statistics

Security Service Team availability is typically Monday-Friday, 8AM-5PM. However, scans can be performed during off hours, so as not to be intrusive to business operations.

Self-Service Support

You can generate your own reports regarding the success of remediation efforts over time.

Getting Help

Support for this service is available M-F, 8AM-5PM. To request support, open an IT Request Ticket and assign it to the following categories:

  • Create New Incident
  • Service: Security (Physical, IT and Policy)
  • System/Application: Vulnerability Scans

Cost

This service is funded by Information Technology Services. There is no direct charge to the department requesting the scan. However, costs (charge-back) may be incurred for any non-standard or in-depth type of consultation.