SERVICES

Vulnerability Data

The Unit Security Dashboard (USD) is the primary method for sharing vulnerability data with security liaisons and system owners. The USD displays all high and critical severity vulnerabilities for each unit including all details needed to remediate each discovered vulnerability.

In addition to the USD, email notifications are sent daily to each unit’s security liaisons containing the list of high and critical severity vulnerabilities discovered within the past 24 hours.

Nessus Agent

Nessus Agents are lightweight applications that you install locally on hosts to supplement traditional network-based scanning. Nessus Agents collect vulnerability, compliance and system data, and report that information back to a cloud-based management console for analysis. Results from agent scans appear on the Unit Security Dashboard.

The Nessus Agent is required for all university-owned systems. Please visit this page on the Unit Security Dashboard to view the installation instructions for the Nessus Agent.

Tenable Cloud Security

Tenable Cloud Security is used instead of the Nessus Agent for cloud-based virtual machines. This service is agentless and is able to detect software vulnerabilities by analyzing the image and configuration of each cloud instance. Tenable Cloud Security has no performance impact on any instances because of this. Vulnerabilities discovered by Tenable Cloud Security are displayed on the Unit Security Dashboard in the same way as vulnerabilities discovered by agent and network scans.

Tenable Cloud Security covers all three major cloud providers (AWS, Azure and GCP). Please email vulnscanning@psu.edu with any questions about Tenable Cloud Security.

Vulnerability Exceptions & Scan Exclusions

Vulnerability Exceptions

According to the IS Vulnerability Management Standard, vulnerabilities identified during scans must be remediated within a certain time frame depending on the severity of the vulnerability. Sometimes, however, it might not be possible to remediate a vulnerability within this time frame, or the “vulnerability” may be a false positive.

Situations when an exception may be granted include:

• Systems managed by a vendor
• Systems that are scheduled to be decommissioned in the near future
• Systems running software that is not supported or is end-of-life that has proper justification
• The system does not support the configuration needed to remediate the vulnerability

Please use this ServiceNow form to request an exception. For an exception to be granted, IS requires compensating controls be implemented in order to mitigate the risk of the vulnerability. Examples of compensating controls include:

• Limiting connectivity via firewall rules and/or moving to RFC 1918 (aka private) IP space
• Installing the Splunk UF (if required), Defender and Nessus agents (if not already installed)

Scan Exclusions

IS scans all public Penn State subnets for vulnerabilities. Sometimes, however, scans can negatively impact certain systems. In these cases, exclusions from regular scans can be granted.

In order to submit an exclusion request, please email vulnscanning@psu.edu. In the email please include the following:

• The IP of the system that needs an exclusion
• A brief description about the system
• The last date/time the system was scanned and a description of what happened and why an exclusion is necessary
• Justification for why the system cannot be moved to RFC 1918 (aka private) IP space where network scans do not occur

ServiceNow Knowledge Base

IS maintains a knowledge base in ServiceNow that contains additional information about vulnerability scanning, the Nessus Agent and guides for remediating specific vulnerabilities. For any additional questions please email vulnscanning@psu.edu.

Vulnerability FAQs

(Click question to expand content.)