Site Menu
Recent News
The Compensating Controls & Exceptions Form is up
Here are the Compensating Controls & Exception process submision forms for the UCSS.
GeoTrust SSL Certificate Purchasing Explained
Instructions on how to order SSL Certificates through GeoTrust can be found on this page
Security Boot Camp outline up for comment
The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here
Check the Blackhole List
To see the current Blackhole listing click here
Report an Incident
To report a security breach or other security incident send an email to Security@osu.edu
Scanning Questions
- What scanning is performed by the I.T. Security Group?
- What software is used to perform the vulnerability scans?
- How often will my network be scanned?
- How do I see the results of the scanning activity?
- Why does my vulnerability report include hosts that do not belong to me?
- How do I change the DNAs and/or email contacts listed for a network?
- Why did I receive multiple vulnerability reports for my networks?
- The report indicates a machine has a Windows/Linux/Mac vulnerability, but I'm running a different operating system. What should I do?
- Part of my network employs Network Address Translation (NAT). Will the vulnerability scans performed by the I.T. Security group include information about my NAT hosts?
- What can I do to increase the visibility of my network for the scanners and improve the quality of my vulnerability reports?
- My vulnerability scan detected all of my hosts and there were no vulnerabilities found. Does this mean my network is completely free of vulnerabilities?
What scanning is performed by the I.T. Security Group?
The I.T. Security group performs automated vulnerability scans of the entire OSU address space. Web application testing and Nessus scans can also be performed upon request.
What software is used to perform the vulnerability scans?
Vulnerability scans are completed using the 3.2.x version series of Tenable Security's Nessus software.
How often will my network be scanned?
Currently, the vulnerability scans are performed once a month. In the near future, this will increase to once a week.
How do I see the results of the scanning activity?
Once the round of scanning has completed, vulnerability reports are emailed to the DNAs associated with the respective network(s). In the near future, these reports will also be emailed to the additional email contacts.
Why does my vulnerability report include hosts that do not belong to me?
The vulnerability scan targets and reporting are based upon the network assignment information managed by the OSU Hostmaster. If your report includes hosts for which you are not responsibile, you should contact the OSU Hostmaster to bring the records up-to-date.
How do I change the DNAs and/or email contacts listed for a network?
Network assignment information (including details about DNAs and additional email contacts) is managed by the OSU Hostmaster. Requests for changes must be sent by one of the currently listed DNAs to hostmaster@osu.edu.
Why did I receive multiple vulnerability reports for my networks?
Vulnerability scan targets are grouped together in one scan based upon the registered DNA(s). If you share responsibility for a set of networks with one DNA, and share responsibility for a different set of networks with another DNA, a separate scan will be launched for each unique DNA grouping, and you will receive a separate report for each.
The report indicates a machine has a Windows/Linux/Mac vulnerability, but I'm running a different operating system. What should I do?
The scanning process is configured to perform a "safe" analysis of the machines on the network. Because of this setting, a scan might receive a response that is indicative of a known vulnerability, but be prevented from performing a deeper test because it could cause a service disruption or other adverse effects.
If you have received notification of a vulnerability for an operating system that is different from the one in use, this result is likely a false positive. Even if you are using a different operating system, however, it is always best policy to ensure the host is up-to-date will all security patches.
Part of my network employs Network Address Translation (NAT). Will the vulnerability scans performed by the I.T. Security group include information about my NAT hosts?
Because NAT networks use non-routing IP addresses, the scanners are unable to communicate with hosts on these networks. This is one of the reasons why the I.T. Security group strongly advises against using NAT for machines connected to the OSUnet.
What can I do to increase the visibility of my network for the scanners and improve the quality of my vulnerability reports?
At this time, DNAs are advised against changing local firewall rules to facilitate scanning. In the near future, the I.T. Security group will provide multiple options to capture information about hosts behind firewalls.
My vulnerability scan detected all of my hosts and there were no vulnerabilities found. Does this mean my network is completely free of vulnerabilities?
The vulnerability scans are only able to detect those items within its database. Unfortunately, new vulnerabilities and pieces of malware are constantly released. While an error-free report is a good outcome, the I.T. Security group vulnerability scans should be just one facet of a larger technology maintenance program. You should remain diligent in applying patches and protecting your hosts from vulnerabilities.
