Vulnerability Security Scans

Service Summary

UC Santa Cruz’s Information Security Service Team provides services to guide UCSC service providers in securing their systems and applications, and minimizing risk.

Scan results can help identify vulnerabilities, prioritize areas for improvement, and support audits and compliance requirements. Our enterprise scan engines are updated regularly and frequently, to ensure we are scanning based on the latest intelligence for emerging threats.

Vulnerability scans and reports are available on request for systems as well as for applications.

Though they share the same purpose -- to qualify and prioritize risk -- a system vulnerability scan is not a penetration test, but rather enumerates known vulnerabilities of a system, and prioritizes them according to likelihood and impact of exploitation. Web application scans will attempt to exploit found  software vulnerabilities, and qualify the vulnerability by severity and certainty of exploitation.

Features & Functions

Vulnerability Scans can be done in two ways:

  1. Authenticated scans of a system or application. Login credentials for a non-administrative user are required for this scan. UCSC Sundry accounts can be used for this purpose. This scan enumerates all software and services residing on the scanned host. This is the recommended scan type.
  2. Unauthenticated scans of a system or application. Login credentials are not used, so this scan will only review externally visible services and will not compare a list of all installed software to known vulnerabilities. This scan also has a higher rate of false positives.

Reports: Results of the scan are provided to the requester and the Service Manager, who must then work with their service providers to confirm false positives and remediate confirmed vulnerabilities.

Consultation: A Service Manager and/or Service Providers may request consultation with IT Security to discuss the scan results and resultant risk ratings, and how to investigate and confirm if false positives exist. Consultations may include penetration testing and are handled using the ITS Project Management methodology.

Requirement to Re-Scan: Systems or applications with high-risk vulnerabilities, and systems showing evidence of a data breach, must be re-scanned after remediation to demonstrate that the identified vulnerabilities have been eliminated. Security will also re-scan other systems and applications upon request to confirm vulnerabilities have been addressed.

Eligibility for Service

University owned, managed or affiliated systems are eligible for vulnerability scans.

Requesting the Service

Three distinct types of scans are available:

  1. Vulnerability Scans for public facing systems can be requested via this link to IT Request Host Vulnerability Scan  - Network.
  2. Vulnerability Scans for systems within a closed network can be requested via this link to IT Request Host Vulnerability Scan - Dept.
  3. Vulnerability scans for web applications can be requested via this link to IT Request Web Application Scan 

Your IT Request will be assigned within 8 working hours. You will be contacted for additional information if needed (a consultation is necessary for scheduling a web application scan and for closed network scans).

Availability, Metrics & Statistics

Security Service Team availability is typically Monday-Friday, 8AM-5PM. However, scans can be performed during off hours, so as not to be intrusive to business operations.

Self-Service Support

You can generate your own reports regarding the success of remediation efforts over time.

Getting Help

Support for this service is available M-F, 8AM-5PM. To request support, open an IT Request Ticket and assign it to the following categories:

  • Create New Incident
  • Keyword Vulnerable System, Vulnerable Software
Consultation priority is first in first out unless prioritized otherwise by management.

Cost

This service is funded by Information Technology Services. There is no direct charge to the department requesting the scan.