CSP - IT Rep - Patch & Vulnerability Management

 

Patch & Vulnerability Management

 
 

10. Supported System

What is the percentage of devices (consider servers, laptops/desktops, devices controlling research equipment) under my control that run a version of its operating system for which security updates continue to be produced? Please include devices that have out-of-date operating systems in the percentage if compensating controls approved by the CISO have been applied.


Why is this Essential?

Out of date and out of support operating systems will not continue to receive security fixes and updates that fixes known vulnerabilities. Without compensating controls (like system hardening, etc.) they pose high risk of unauthorized access to UBC Electronic Information or resources.


Reference Links​
Automatic Blocking of Malicious Websites
Firewalls Guideline:
UBC IT Virtual Firewall Service

Instructions​

N/A


What is Acceptable?

Where the system is at end of life and security-related updates and patches are no longer available from the vendor, then the unit has upgraded the system to the current supported version or have requested for a variance and have implemented compensating controls approved by the CISO.


 

 

11. Vulnerability Notification Service

Are IT Support Staff in my unit subscribed to appropriate Notification Services to ensure they are aware of new vulnerabilities and corresponding patches as soon as they are available?


Why is this Essential?

As part of the vulnerability management process it is important to be notified of any new security issues around the products being used that could increase the probability of systems becoming compromised. These subscriptions or notifications provide assistance in keeping University IT Support Staff up-to date on new vulnerabilities, so that appropriate steps can be taken to reduce risks to the affected systems.


Reference Links​
Patch Management
Security Vulnerability Information Sources
Appropriate Notification Services
Vulnerability Management Program (VMP)

Instructions​

The following Notification Services are recommended by UBC's Cybersecurity team:

UBC Confidential Communication (CC) site:

  • UBC CC site- https://cc.cybersecurity.ubc.ca/subscribe/
US CERT:
  • Current Activity - https://www.us-cert.gov/ncas/current-activity
  • Known Exploited Vulnerabilities - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • Alerts - http://www.us-cert.gov/ncas/alerts
  • RSS Feed - http://www.us-cert.gov/ncas/alerts.xml
SANS
  • NewsBites - http://www.sans.org/newsletters/#newsbites
Canadian Centre for Cyber Security (CCCS)
  • Cyber Security Bulletins (RSS Feed) - http://www.publicsafety.gc.ca/cnt/_xml/cybr-ctr-eng.xml
  • Public Safety Canada – Cyber Security Bulletins/ Alerts - http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/index-eng.aspx#a

What is Acceptable?

Clear assignment of responsibility for monitoring notification services to individual(s) within IT support function.


 

 

12. Patching Cadence

Do most of the UBC servers under my control have Critical and High Severity Vulnerability patches applied within 72 hours and 14 days respectively of the patch release time?


Why is this Essential?

Unpatched software is frequently exploited by malicious individuals to access information or resources. To mitigate this threat, vendor provided patches for UBC Systems (e.g. operating systems, applications, databases, etc.) must be patched, with service outages where required, in accordance with Severity Ratings for Vulnerabilities (CVSS) or as defined by the vendors or other third parties as highlighted in UBC's Information Security Standards.


Reference Links​
Patch Management
Vulnerability Awareness & Patching Prioritization

Instructions​

**“Most” in the question should be interpreted as 85% or more of the UBC servers under my control


What is Acceptable?

Best estimate is acceptable, but ideally this would be informed by information from real world examples e.g. ticket open/close time.

 
 

 

13. Vulnerability Scans/Reports (New Systems)

Are vulnerability reports obtained for all new or substantially modified internet-facing servers and applications (excluding Software-as-a-Service), and have all necessary remediation actions be taken prior to going into production?


Why is this Essential?

Internet-facing servers are constantly being probed by threat actors looking for ways to access and/or control the system and data. It is important that no known vulnerabilities are left unpatched which would allow threat actors to access vulnerable systems and gain control.

In addition, vulnerability scanners are also a repository of hosts and services giving valuable insight to the exposure of internet facing systems.

Reference Links​
Vulnerability Scanning
Vulnerability Management Program (VMP)
Vulnerability Scanners
Internal vs External Network Contexts
Vulnerability Scanners – Minimal

Instructions​

N/A


What is Acceptable?

There is a process in place to confirm security of new/substantially modified internet facing systems, which includes vulnerability scans.

 
 

 

14. Vulnerability Scans/Reports (Ongoing)

Are UBC’s Vulnerability Scanners allowed appropriate access to scan infrastructure under my control at all times?

Why is this Essential?

Vulnerability scanners are a critical tool for identifying potential security vulnerabilities in UBC infrastructure by scanning network assets. Additionally, vulnerability scanners provide insights into system and service exposure, making them a valuable repository of information.

Specifically blocking access to a cybersecurity-approved vulnerability scanner can lead to incomplete or inaccurate reporting of vulnerable assets or services. While it may be necessary to configure certain systems to follow security rules that limit access, vulnerability scanners should never be intentionally blocked from scanning network assets.


Reference Links​
Vulnerability Scanning
Vulnerability Management Program (VMP)
Vulnerability Scanners – Minimal

Instructions​

In accordance with UBC Information Security Standard M5, Vulnerability Management, UBC Cybersecurity makes use of multiple vulnerability scanners to identify vulnerabilities within UBC. The cybersecurity team has published an article to provide a list of IP addresses involved in vulnerability scanning at UBC.
Vulnerability Scanners

When configuring your network firewall there are two categories of network scanners that require you to treat your firewall differently.
1. External network vulnerability scanners.
These vulnerability scanners scan from a network external to UBC and need to be treated like regular internet traffic. No rules should be specifically configured in the firewall for these scanners. This allows us to have the best picture of how our network looks to someone outside UBC.
2. Internal network vulnerability scanners
These vulnerability scanners scan from a UBC internal network and should have rules created in your network firewall to open up full access to all network assets. This enables us the best picture of how our network looks from the inside.


What is Acceptable?

University IT Support Staff must not block UBC’s Vulnerability Scanners without evaluating the options with UBC’s Cybersecurity team.