Policy on Security Vulnerability Management

Vulnerability Management is the activity of remediating/controlling security vulnerabilities: 1) identified by network, systems, and application scanning for known vulnerabilities, and 2) identified from vendors. Managing system vulnerabilities in a timely fashion is key to the protection and security of, and continued access to, University resources.

All NYU network infrastructure, servers, operating systems on virtual machines, cloud-hosted server operating systems, database servers, databases, and applications.

All NYU network infrastructure, servers, operating systems on virtual machines, cloud-hosted server operating systems, database servers, databases, and applications must be scanned in a fashion and on a schedule appropriate for the risk profile of the assets or regulatory needs.

Systems with High Risk data (see Electronic Data and System Risk Classification Policy) must be scanned for vulnerabilities at least monthly.

The NYU IT Global Office of Information Security (GOIS) performs regular Authenticated and Unauthenticated Scans of networks, systems, databases, or applications. Units managing networks, systems, databases, or applications must either use the GOIS scanning service or perform similar scans. Scans are limited to reviewing system and application configuration and do not open or examine content in email, documents, spreadsheets, databases, or any other application.

Security vulnerabilities identified through scans or identified by vendors must be remediated/controlled as described below.

Unauthenticated Network Vulnerability Scans

The GOIS conducts routinely-scheduled unauthenticated scans of NYU-NET. Schedules will be announced. The Unauthenticated Network Vulnerability Scans (Network Asset/Device Enumeration / Discovery Scanning OS Fingerprinting and Open Service/Port Scanning) look at the entire NYU network space. They are designed to test for known vulnerabilities that are remotely exploitable; require no authentication; impact confidentiality or integrity; and are considered high or medium in severity.

The unauthenticated scan checks a list of commonly-observed ports only to find services to test.

Vulnerability reports are provided to the identified IT contact person or user in a unit with the expectation that corrective actions will be taken. These corrective actions may include closing inappropriately open ports or patching unpatched servers.

Units are expected to address any identified vulnerabilities as outlined in the Vulnerability Remediation/Risk Mitigation section below.

Authenticated Network Vulnerability Scans

All networks, systems, databases, or applications that create, maintain, process, transmit, or store data classified as High Risk (see Electronic Data and System Risk Classification Policy) must be scanned on a regular basis, no less than monthly.

The GOIS conducts regular authenticated vulnerability scans by running all safe tests available in the scanning tool.

• The scans undertake to connect to hosts on the target networks in various ways to determine which hosts are responsive. Hosts can include computer workstations and servers, network switches and routers, networked printers, scanners, copiers, digital telecommunications, and personally-owned devices.
• Discovered hosts are subsequently interrogated to find open ports for the scanner to probe.
• The scanning tool logs into the system with previously-provided credentials and takes inventory of running services, listening ports, installed applications, and configurations. This information is then examined for vulnerabilities.

Vulnerability reports are provided to the identified contact person in a unit with the expectation that corrective actions will be taken. These may include vulnerabilities, inappropriately-open ports, or unpatched servers. These authenticated scans are performed on schedules determined by the risk profile of the systems or data, or by regulatory needs.

Units are expected to address any identified vulnerabilities as outlined in the Vulnerability Remediation section below.

Web Application Security Scanning

The GOIS performs web application security scanning as part of its Security Risk Assessments, and can also perform security scans of existing web applications, especially when these applications are being upgraded or substantially changed. The results help NYU units identify and resolve vulnerabilities in web applications.

The scanner is effective at finding vulnerabilities specific to web applications, such as SQL injection and cross-site scripting. The scanner crawls websites, checking for vulnerabilities across servers that support web applications. After the scan completes, GOIS can provide a detailed report with specific vulnerability details and remediation steps.

As with other vulnerability scanning, units may use the service to scan NYU-owned applications that are reachable from GOIS's scanning service. For networks that are not normally reachable due to a firewall, an exception may need to be created to allow the scanner full visibility of the target network.

Targeted Scans for Specific Vulnerabilities

GOIS may occasionally perform narrowly-targeted scans of all NYU networks to find high-risk vulnerabilities that pose an imminent threat.

When such scans are performed, every effort will be made to notify network owners in advance. An email notification will be sent to the network administration lists to advise of the scope and timing of the scan.

Units that observe unexpected scan traffic may contact security@nyu.edu with the relevant source and target IP address to determine whether a GOIS scan is the root cause.

Scan Accuracy

Exceptions will need to be configured containing the IP range of GOIS scanners on any network and host-based firewalls and IDS/IPS technology to ensure the scans provide accurate data.

If a vulnerability scan identifies vulnerabilities in an NYU unit or the unit learns of new vulnerabilities, the unit/responsible IT person is expected to remediate them or, in the rare cases where that is not possible, implement approved and documented compensating controls to reduce risk. In cases where a vulnerability introduces heightened risk to data exposure, NYU IT may disconnect, disable and/or block the device from accessing NYU-NET until remediation or risk mitigation takes place.

Prioritize Based on Severity

Report recipients are encouraged to prioritize remediation efforts based on the severity of the vulnerability and the potential impact on the confidentiality, integrity, or availability of the vulnerable systems and/or their data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS).

Highest priority should be given to vulnerabilities rated Critical (CVSS 9-10) or High (CVSS 7- 8.9).

Plan Remediation/Risk Mitigation

Remediation planning should:

• Validate that the vulnerability is properly identified and prioritized.
  
• Include specific steps that will be taken to mitigate the risk that the vulnerability poses.
  
• Ensure that appropriate resources are, or will be, available to remediate the vulnerability or mitigate the risk that the vulnerability poses.
  
• Identify milestones in the remediation/risk mitigation process to fully address the vulnerability.
• Ensure that the schedule for resolving or addressing the vulnerability is achievable and allows for appropriate testing.

Meet Remediation Timeframes

After a vulnerability is detected and a fix is available, the timeline for remediation/risk mitigation begins.

• Critical (CVSS 9-10) Vulnerabilities:
  • Create corrective action plan within two weeks.
  • Remediate vulnerability/mitigate risk within one month.
• High (CVSS 7-8.9) Vulnerabilities:
  
  • Create corrective action plan within one month.
    
  • Remediate vulnerability/mitigate risk within three months.
    
• Other Vulnerabilities
  
  • If fewer than 100 machines are impacted, can be resolved based on availability of staff resources.
    
  • If more than 100 machines are impacted, this may raise the vulnerability level.

If GOIS or a vendor has issued an alert for a critical vulnerability, requirements specified within the alert may supersede those above.

Laws, regulations, standards, or contractual agreements may dictate a higher priority and shorter timeline than the CVSS score alone indicates. For example, to comply with the Payment Card Industry Data Security Standard any NYU PCI environment with a vulnerability that has a CVSS score of four or higher must be remediated within 30 days of notification. Vulnerabilities with scores lower than four must be remediated within two to three months.

If the Remediation Timeline cannot be met, contact the GOIS at security@nyu.edu to discuss options and alternatives to ensure a safe IT environment in your unit.