Vulnerability Scanning Services

Information Assurance (IA) conducts routine quarterly scans of all University of Michigan owned and managed networks and offers a monthly and on-demand scanning service on request. All networks, systems, databases, or applications that create, maintain, process, transmit, or store data classified as High or Restricted must be scanned monthly.

  • The scans try to connect to hosts on the target networks in various ways to determine which hosts are responsive. Hosts can include computer workstations and servers, network switches and routers, networked printers, scanners, copiers, digital telecommunications, and personally owned devices.
  • Discovered hosts are subsequently interrogated to find open ports for the scanner to probe.
  • Any open ports are examined for vulnerabilities and misconfigurations specific to the type of service detected on the port. Much of this examination relies on self-reporting by the host (such as reports of software version numbers).
  • Scans are limited to reviewing system and application configuration and do not open or examine content in email, documents, spreadsheets, databases, or any other application.

For answers to questions you may have about IA scans, see the Monthly & On-Demand Vulnerability Scanning FAQ.

Expand All Content

Scans Offered

Quarterly Vulnerability Scans—conducted routinely by IA

IA conducts quarterly vulnerability scans of the entire network address space registered to the University of Michigan. The scans come from a scanner positioned outside the university to give units the perspective of what an attacker can see from outside university networks.

Detailed vulnerability reports are provided to the identified contact person in a unit (as listed in the ITS Network Information Database—NetInfo). with the expectation that corrective actions will be taken.

Units are expected to remediate any identified vulnerabilities as outlined in Vulnerability Remediation.

Monthly and On-Demand Scanning Service—available free from IA on request

U-M units that would like regular scans of their networks without the cost of maintaining their own local scanning infrastructure can request monthly scans from IA, as well as customized one-time scans.

Web Application Security Scanning—available free from IA on request

Your unit's web applications are often reachable, by necessity, from the internet. This can leave those applications—and U-M in general—vulnerable to attack. To help U-M units identify and resolve vulnerabilities in web applications, IA offers web application security scans at no charge.

The scanner is effective at finding vulnerabilities specific to web applications, such as SQL injection, cross-site scripting, and so on. The scanner crawls websites, checking for vulnerabilities across web servers, proxy servers, web application servers, and other web services. After the scan completes, IA gives you a detailed report with specific vulnerability details and remediation steps.

As with standard monthly and on-demand scans, units may use the service to scan UM-owned networks that are reachable from IA's scanning server. For networks that are not normally reachable due to a firewall, an exception will need to be created to allow the scanner full visibility of the target network.

Request a scan via the Vulnerability Scanning Request form.

Targeted Scans for Specific Vulnerabilities—conducted by IA

IA occasionally performs narrowly targeted scans of all U-M networks to find high-risk vulnerabilities that pose an imminent threat.

When such scans are performed, every effort will be made to notify network owners in advance. An email notification will be sent to network administration lists such as FLN to advise of the scope and timing of the scan.

Units that observe unexpected scan traffic may contact with the relevant source and target IP address to determine whether an IA scan is the root cause.

Unit-Performed Scans

Units interested in performing regular vulnerability scans should first evaluate the free IA monthly and on-demand scanning service to see if it will meet their needs. If that is deemed insufficient, you can contact IA via the ITS Service Center for vulnerability scanning suggestions.