Vulnerability scans are a critical tool in the information security program of any educational institution. Regular scans keep administrators apprised of the actual state of security on their networks and allow time for remediation before an attacker discovers any vulnerabilities first.
While crucial, vulnerability scans also consume network bandwidth and tie up valuable resources on any system undergoing a scan. At worst, the scans have the potential to result in system outages or other operational issues. To protect the integrity of an institution’s information systems, IT staff should follow these tips when preparing to scan any campus network.
1. Schedule scans based on risk.
All of the thousands of systems on most campus networks simply can’t be scanned all of the time. Attempting to do so would quickly exhaust any available scanning resources, and interpreting the results would require an army of analysts.
Scan systems using a risk-based approach. Triage systems based on their network exposure and the sensitivity of the data they contain to ensure the majority of the team’s time is focused on the most important targets. Credit card processing systems should be scanned daily, for example, while an internal test server can get by with just a weekly or monthly scan.
2. Work around institutional needs.
Every institution operates according to its own, unique rhythm: Administrative activity likely peaks midmorning, while residential network traffic probably rises in the late evening. Develop a scanning schedule that takes those rhythms into consideration and minimizes the impact of vulnerability scanning on campus operations.
3. Tune scans for false positives.
Invariably, vulnerability scans turn up false positive results. Those may be due to risks IT previously identified and accepted, or a system’s technical characteristics that trigger inaccurate vulnerability reports. Take the time to tune the scan policy to avoid false positives every time a scan runs. Minimizing such noise will draw greater attention to vulnerabilities that actually require administrator intervention. It’s far easier to react to a problem report when teams are accustomed to a steady stream of emails reporting “no issues.”
4. Delegate responsibility and authority.
Campus computing is a distributed activity, and vulnerability scanning should operate in the same fashion. Administrators who are responsible for the systems in a given department should have access to scan results and, perhaps, the authority to trigger scans on demand. Delegate scan access to departmental administrators to foster a sense of responsibility for remediation and quick attention to negative scan results. Put information in the hands of staff members who can make changes.