You’ve probably heard of Heartbleed, Shellshock, or POODLE, the critical software vulnerabilities that were discovered this past year. These vulnerabilities gave attackers easy control of machines from which they could stage additional attacks. What you might not know is that there are thousands of these vulnerabilities, most discovered years ago, that continue living on machines that are not patched. As caretakers of the University and its reputation, it is important for us to identify and remediate vulnerabilities that give harbor to attackers who hope to exfiltrate confidential, restricted, or prohibited information. Identifying such vulnerabilities requires the use of a network vulnerability scanner.
QualysGuard is a prolific network vulnerability scanner that was created in 2002 by Qualys, Inc. In the succeeding 12 years, QualysGuard has been adopted by a majority of companies in the Forbes Global 100 and has built a catalog of more than 20,000 vulnerability definitions. QualysGuard is comprised of two main features: Vulnerability Management (VM) and Web Application Scanning (WAS). Using VM, system administrators can generate reports of vulnerable machines and services. Using WAS, web developers can generate reports on the efficacy of attacks, such as SQL Injection, Cross-Site Scripting, or Denial-of-Service against their web applications. In both cases, QualysGuard provides users with referential and/or instructional resources to remediate detected vulnerabilities.
The Information Security Office began issuing QualysGuard accounts to ambitious administrators and developers in March of 2014. As of this writing, over 150 administrators have begun using QualysGuard to scan their networks and web applications. Distributed IT organizations on campus, in concert with University IT, have reduced the number of Internet-facing, critically vulnerable hosts by seven percent since measurement began in April. To drive adoption, the Information Security Office is currently developing automation to proactively notify owners of vulnerable machines and services. Further details coming later this year.
Starting in the second week of November, University IT will distribute vulnerability reports to the IT leadership of schools and administrative departments. We will make the reports available twice per month, matching the cadence of campus network scans. Our current recommendation is to remediate vulnerabilities that Qualys describes as confirmed and of severity level 4 or 5. The Qualys initiative at Stanford is fully funded by University IT, with no fees required to join. For more information, please visit: https://itservices.stanford.edu/service/qualys.
© Stanford University, Stanford, California 94305.