ITS Information Assurance (IA) conducts regular scans of all University of Michigan owned and managed networks. All U-M networks are scanned once every two months from within U-M network space and once every two months from a scanner positioned outside the university. The scans alternate, with one scan performed each month. IA offers a unit monthly and on-demand scanning service on request. All networks, systems, databases, or applications that create, maintain, process, transmit, or store data classified as High or Restricted must be scanned monthly.
- The scans try to connect to hosts on the target networks in various ways to determine which hosts are responsive. Hosts can include computer workstations and servers, network switches and routers, networked printers, scanners, copiers, digital telecommunications, and personally owned devices.
- Discovered hosts are subsequently interrogated to find open ports for the scanner to probe.
- Any open ports are examined for vulnerabilities and misconfigurations specific to the type of service detected on the port. Much of this examination relies on self-reporting by the host (such as reports of software version numbers).
- Scans are limited to reviewing system and application configuration and do not open or examine content in email, documents, spreadsheets, databases, or any other application.
For answers to questions you may have about IA scans, see the Unit Monthly & On-Demand Vulnerability Scanning FAQ.
University Vulnerability Scans—conducted routinely by IA
IA conducts monthly vulnerability scans of the entire network address space registered to the University of Michigan. The scans come from a scanner positioned outside the university to give units the perspective of what an attacker can see from outside university networks.
Detailed vulnerability reports are provided to the identified contact person in a unit (as listed in the ITS Network Information Database—NetInfo). with the expectation that corrective actions will be taken.
Units are expected to remediate any identified vulnerabilities as outlined in Vulnerability Remediation.
Internal scanning across the university began in June 2020. The first couple of internal scans will be run on a test basis as IA fine-tunes the process. University networks will then be scanned monthly from inside the university to identify any potential vulnerabilities within U-M network space.
Unit Monthly and On-Demand Scanning Service—available free from IA on request
U-M units that would like regular scans of their networks without the cost of maintaining their own local scanning infrastructure can request additional monthly scans from IA, as well as customized one-time scans.
- For details about the service, see the Unit Monthly & On-Demand Vulnerability Scanning FAQ.
- Request Network Vulnerability Scanning.
Web Application Security Scanning—available free from IA on request
Your unit's web applications often need to be reachable from the internet, which can leave them vulnerable to attack. To help U-M units identify and resolve vulnerabilities in web applications, IA offers web application security scans at no charge.
The scanner is effective at finding weaknesses in web applications, such as SQL injection, cross-site scripting, and authentication bypass vulnerabilities. The scanner crawls a given web application, checking for problems across web servers, proxy servers, web applications, and other web services. After a scan completes, IA provides a report detailing any concerns discovered and recommendations for remediation.
IA also subscribes to the Dorkbot service offered by the University of Texas at Austin Information Security Office for vulnerability discovery across publicly accessible sites. These checks come from autoscan.infosec.utexas.edu (184.108.40.206) which should be added to the allowlist for maximum value.
Targeted Scans for Specific Vulnerabilities—conducted by IA
IA occasionally performs narrowly targeted scans of all U-M networks to find high-risk vulnerabilities that pose an imminent threat.
When such scans are performed, every effort will be made to notify network owners in advance. An email notification will be sent to network administration lists such as FLN to advise of the scope and timing of the scan.
Units that observe unexpected scan traffic may contact firstname.lastname@example.org with the relevant source and target IP address to determine whether an IA scan is the root cause.
Units interested in performing regular vulnerability scans should first evaluate the free IA unit monthly and on-demand scanning service to see if it will meet their needs. If that is deemed insufficient, you can contact IA via the ITS Service Center for vulnerability scanning suggestions.