About vulnerability management
Vulnerability management is the process of identifying, evaluating, treating and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside other security tactics, is vital for organizations to prioritize potential risks and minimize their attack surface.
Security vulnerabilities refer to technological weaknesses that allow malicious actors to compromise a product and the information it holds. This process needs to be performed continuously to keep up with new systems being added to networks, changes that are made to systems and the discovery of new vulnerabilities over time.
What is vulnerability scanning?
Vulnerability scanning is one aspect of a full vulnerability management program. Within vulnerability scanning there are two types being offered: non-credentialed and agent based. They are intended to bypass all security controls to enumerate all known vulnerabilities on the device being scanned. Non-credentialled scans are subject to much higher false positive findings.
The University of Toronto has many networked devices, including desktops, laptops printers and any other device that has an IP address. Some of these devices may have security issues due to missing patches, misconfigurations or obsolete software/operation systems. Vulnerability scanning proactively tests every connected device on our network and attempts to identify these potential security issues.
Roles and responsibilities for the VMS
The table below outlines the delineation line of responsibility via a Responsible, Accountable, Consulted and Informed (RACI) model between units opting in for VMS and the Information Security VMS team providing such service.
| Responsibility | Information Security | Unit / Department |
|---|---|---|
| Plan scans (scope, priorities, frequencies) | R+A | C |
| Execute scans | R+A | I |
| Prioritize & escalate any material vulnerability | R+A | I |
| Validate scan results (false positives) | R+A | C |
| Report scan results | R+A | I |
| Remediate affected systems | C | R+A |
| Monitor vulnerability status | R+A | R |
| Exceptions [1] | R | C+A |
[1]For things that need to exist in the Enterprise but still have an un-remediated vulnerability. Requires Risk Management analysis.
FAQs
VMS allows network or server administrators to stay ahead of malicious actors by fixing weaknesses in the information systems. Overall, it is an essential service to protect our people and data at U of T.
The cost for the VMS is being incurred by Information Security and will be provided as a complimentary service to all tri-campus units. The vulnerability scan results are restricted to a need-to-know basis.
If you are authorized, the vulnerability scan results associated with your unit can be accessed through the Vulnerability Reporting Portal by logging in with your UTORid.
If you are a network or server administrator and do not have access to the vulnerability scan results for systems you manage, contact us at security.admin@utoronto.ca.
Vulnerability scans are currently scheduled to run weekly and the results are available immediately after the scan completes via the reporting portal. The key time to look for results is right after security patches are released by the responsible vendor.
The community IT team that applies patches to the various platforms should have a Service Level Agreement (SLA) on deploying newly released patches. For example, Microsoft has “patch Tuesday” when they release patches. The vulnerability scan will verify if the fix has been applied and if it addresses the security concern.
On-demand scan requests can be accommodated by contacting security.admin@utoronto.ca.
For information about use of Tenable at the University of Toronto, refer to the Tenable.IO University Training Guide. Additionally, you can find free Tenable tutorials on the Tenable website.
Yes, it is a requirement for all units. The U of T Information Security and the Protection of Digital Assets Policy and Information Security Standard requires that all institutional devices need to be secure to better protect our people, data and systems.