Site Menu

Recent News

The Compensating Controls & Exceptions Form is up

Here are the Compensating Controls & Exception process submision forms for the UCSS.

GeoTrust SSL Certificate Purchasing Explained

Instructions on how to order SSL Certificates through GeoTrust can be found on this page

Security Boot Camp outline up for comment

The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here

Check the Blackhole List

To see the current Blackhole listing click here

Report an Incident

To report a security breach or other security incident send an email to Security@osu.edu

General Questions

I have a general comment or question relating to computer or network security at OSU . . .

First, please check further through the FAQ to make sure that the question isn't answered in some way further on. It's quite possible that we'll cover it here.

Next, check the contacts page, and contact us. A short answer is to send E-mail to security@osu.edu.

I have a question about an ISS Scan . . .

Questions About Network Vulnerability Scans

We use several tools to conduct regular scans for network security vulnerabilities on OSU's networks, including the Internet Security Systems "Internet Scanner". We also use other tools, such as nmap. The scanning schedule and resulting reports are sent to the Department Network Administrators (DNAs) that we have listed for our address ranges.

We can set up scans apart from the regular quarterly schedule on request. If you have questions about the contacts that we have listed for an address range, or would like us to change contacts, or to add an additional contact we can make those changes also. We would also be happy to meet with you to discuss your scan results and discuss possible solutions to the problems listed.

A few comments about interpreting the scan reports

Note that any vulnerability scan will occasionally give false positives - in other words, they will report problems that don't really exist. Of course, one of our goals is to reduce the number of false positives in the scan reports. If you review your reports and find entries that you think are in error, please let us know so that we can try to improve the quality of the reports that we generate.

You may not be able to correct all of the problems identified in your scan report. That's OK - the main issue that you should be concerned with is that you understand the contents of the report, correct the issues that you can, and understand and accept the issues that you choose not to fix.

In some cases, you may choose to leave a potentially vulnerable service running, but to limit access to the service to reduce the level of risk. Or you may choose to hide potentially vulnerable services that you make available for local use behind a firewall. By the way, we can help you set up firewalls :-)

If you think that its OK to ignore the vulnerabilities reported because "no one would ever bother to break into THIS host", think again - in most cases, computer break-ins are like muggings - the intruder doesn't care about breaking into YOUR host specifically, it just happens to be on the Internet and is vulnerable.

I Have A Question About Your Review Software

The Review package was written by Steve Romig, and is available by request to security@osu.edu.

The Ohio State University

www.osu.edu

Main menu