SERVICES
Information Security
System Vulnerability Scanning
Software vulnerabilities and misconfigurations on Penn State computer systems increase the risk of unauthorized access, data breaches, data destruction, and loss of operation. Fixing these vulnerabilities is crucial to protecting Penn State systems and data. In accordance with AD95: Vulnerability Management, IS conducts regular vulnerability scans of the Penn State network using Nessus vulnerability scanners and agents.
IS manages non-credentialed network scans of the Penn State network. IS-managed network scans are conducted in two parts, a discovery scan followed by a vulnerability scan. The discovery scan consists of a ping scan to identify live IPs. Systems determined to be live based on the discovery scan are targeted for further vulnerability scans to identify open ports and vulnerabilities.
Vulnerability Data
The Unit Security Dashboard (USD) is the primary method for sharing vulnerability data with security liaisons and system owners. The USD displays all high and critical severity vulnerabilities for each unit including all details needed to remediate each discovered vulnerability.
In addition to the USD, email notifications are sent daily to each unit’s security liaisons containing the list of high and critical severity vulnerabilities discovered within the past 24 hours.
Nessus Agent
Nessus Agents are lightweight applications that you install locally on hosts to supplement traditional network-based scanning. Nessus Agents collect vulnerability, compliance, and system data, and report that information back to a manager (Tenable.io) for analysis. Results from agent scans appear on the Unit Security Dashboard.
The Nessus Agent is required for all university-owned workstations and servers. Please visit this page on the Unit Security Dashboard to view the installation instructions for the Nessus Agent.
Vulnerability Exceptions & Scan Exclusions
Vulnerability Exceptions
According to the IS Vulnerability Management Standard, vulnerabilities identified during scans must be remediated within a certain time frame depending on the severity of the vulnerability. Sometimes, however, it might not be possible to remediate a vulnerability within this time frame, or the “vulnerability” may be a false positive.
Situations when an exception may be granted include:
- Systems managed by a vendor
- Systems that are scheduled to be decommissioned in the near future
- Systems running software that is not supported or is end-of-life that has proper justification
- The system does not support the configuration needed to remediate the vulnerability
Please use this ServiceNow form to request an exception. For an exception to be granted, IS requires compensating controls be implemented in order to mitigate the risk of the vulnerability. Examples of compensating controls include:
- Limiting connectivity via firewall rules and/or moving to RFC 1918 (aka private) IP space
- Closing unneeded ports
- Installing the Splunk, Defender ATP and Nessus agents (if not already installed)
Scan Exclusions
IS scans all public and private Penn State IP ranges for vulnerabilities. Sometimes, however, scans can negatively impact certain systems. In these cases exclusions from regular scans can be granted. Typically legacy network devices, phone systems, printers and other embedded devices are the types of systems that sometimes require exclusion from scans. Scan exclusions are not generally granted for workstations or servers.
In order to submit an exclusion request, please email vulnscanning@psu.edu. In the email please include the following:
- The IP of the system that needs an exclusion
- A brief description about the system
- The last date/time the system was scanned and a description of what happened and why an exclusion is necessary
ServiceNow Knowledge Base
IS maintains a knowledge base in ServiceNow that contains additional information about vulnerability scanning, the Nessus Agent and guides for remediating specific vulnerabilities. For any additional questions please email vulnscanning@psu.edu.
Vulnerability FAQs
(Click question to expand content.)
don't modify this so accordion stays closed
What is the required timeline for remediating vulnerabilities?
AD95: Vulnerability Management outlines the timeline for remediating vulnerabilities.
Where can I find information about remediating a specific vulnerability?
Please visit the Nessus area of the ServiceNow Knowledge Base to view guides for remediating specific vulnerabilities or contact vulnscanning@psu.edu with any questions.
Where can I find more information about the Unit Security Dashboard (USD)?
Please visit this page to learn more about the USD.
How do I request an exception for a vulnerability I simply cannot fix (but I have mitigated as much as possible)?
Please complete our Service Now Exception Request form with the specifics of your request.
Where can I find more information about vulnerability scanning and Nessus?
Please visit the Nessus area of the ServiceNow Knowledge Base or contact vulnscanning@psu.edu with any questions.
Update Network Contacts
The Unit Security Dashboard (USD) and other automation used by IS relies on accurate contact information. The contacts for a system are retrieved from official central systems:
- VM Hosting, for virtual machines hosted by VM Hosting.
- ENCS’s IPAM system (a.k.a. Proteus or BlueCat Networks) for IP addresses on the network via the audit contact field for the subnet
IS does not maintain these systems, so if modifications are necessary, please contact the appropriate owner using the links below:
- VM Hosting Network Contact Update Request
- Proteus Network Contact Update Request
- Select Make a general DNS/DHCP request and then describe the request in the box that appears.