Vulnerability Management Service
The vulnerability management program is a free service provided to server administrators and web developers on all 4 MSU campuses. System owners may run vulnerability scans against their own servers, or opt to have ITC perform scans on a monthly basis.
The Enterprise Security Group (ESG) has selected the vulnerability management platform, QualysGuard. This product provides a simple web interface for system owners to initiate scans and view results.
Do I have to participate in the program?
Those with externally-facing services must participate. ESG will scan all servers for which there are perimeter firewall rules in place. For those who manage servers or services, participation is highly recommended as a way to effectively manage vulnerabilities.
How do I participate?
Contact email@example.com to opt-in to the service and/or request a QualysGuard account.
Will ITC scan my servers and services for me?
Upon request, ITC will scan servers and services on a monthly basis. Those who wish to run their own scans may contact firstname.lastname@example.org to request a Qualys account and training.
What if a vulnerability is found on my server or with my service?
Most server vulnerabilities are easily fixed by applying the appropriate vendor-supplied update. Service owners may also contact ESG to request assistance with remediation or mitigation.
How are scan results distributed?
Most scan results are distributed to owners via their QualysGuard account.
Do I need to remediate all vulnerabilities discovered?
No. Vulnerabilities of levels 1, 2, and 3 are generally considered as informative and usually do not often post a significant risk to our environment. Vulnerabilities of levels 4 and 5 must be remediated, mitigated, or otherwise addressed.
How long do I have to remediate a vulnerability?
In short, vulnerabilities of levels 4 and 5 should be addressed as soon as reasonably possible. When a level 4 or 5 vulnerability has existed for one full month, a Web Help Desk (WHD) ticket is created, assigned to the system owner, and escalated per the following schedule:
After One Month: Preexisting high severity vulnerabilities are reported via Web Help Desk (WHD) ticket to the system owner and departmental IT director or department head.
After Two Months: If the vulnerability is still present, the ESG contacts the system owner via phone to discuss remediation or mitigation steps. At this time the dean or division head will also be made aware of the potential risk.
After Three Months: If the vulnerability is still present, the ESG will make one last attempt to contact the system owner and help mitigate the issue. If there is no immediate response, the service or server will be removed from MSU’s network.
What if remediation of a found vulnerability is beyond my resources?
Contact the ESG and ask for help in mitigating or addressing the issue. ESG will work with the department head to make sure that the associated risk is fully understood and documented.
What if I need to run a scan immediately?
(e.g. I have a new system that I want to move to production and do not want to wait until the next scan cycle to find out about vulnerabilities. ).
Most QualysGuard users may run scans on-demand at any point in time. If you do not have the privileges to run scans, the ESG will initiate your scans upon request. Note that a scan should be performed whenever a new server or service is entering production for the first time or when changes are made to a production service.
Is there training available?
Yes, ESG can provide training for individuals or business units. Contactitsecurity@montana.edu to schedule.
QualysGuard also offers several good online training video for those who have attended training and want to learn more . A link to these videos is available on theQualysGuard dashboard. Go to the Help drop down menu located in the upper right and select Training.
Will the ESG review my scan reports for me?
ITC encourages distributed IT staff to take an active role in managing their own assets. For that reason, the ESG prefers to offer QualysGuard training and empower distributed IT staff to review and understand their own scan reports.