Accessibility mode is enabled

Skip to Top / Tab to View Menu Options
Skip to Left Navigation / Tab to View Content

City of Sacramento Vulnerability Scan

Background

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. It ranks fourth on the Top 20 Critical Security Controls list stating that organizations “continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.” Vulnerability scans provide critical information to the Information Security Office and management as part of the risk assessment process for City systems. Additionally, System Administrators utilize vulnerability scan reports to assess the security posture of their system and outline remediation tasks required to bring their system into compliance.

Vulnerability Management

Vulnerability scans are conducted on all systems connected to the City network including servers and web applications. For a successful comprehensive scan, a server or web application must be properly configured in the Vulnerability Management Scanner.

When scans are required

A vulnerability scan is required on all servers physical or virtual at several steps of the implantation process. The City has adopted the following process for server Vulnerability Management.

  • All new servers will have a baseline scan before ownership transfer is performed.

  • Production server will have monthly scan to ensure continual compliance.

  • Scan requests must be requested before a server goes into production or if a change is made since last scan.

Reporting results

  • External facing servers with a scan result of Critical will not be allowed to go live.
  • External facing servers with Moderate results must have a remediation plan in place before go live.
  • Internal facing servers with Critical and Moderate results will be allowed to go live but must submit a remediation plan.

Credentialed (Authenticated) Vulnerability Scans

Credentialed, or authenticated scans, are far more accurate than un-credentialed scans because they connect using an account on the system being scanned. These scans are necessary to detect many critical zero-day vulnerabilities. Credentialed scans are also more efficient and lower impact because the detection mechanisms are more defined. Credentialed scans search for software versions, perform tests, and scan Windows registries.

Discovery Scans

A discovery scan involves scanning the new servers and identifying services these systems provide. Discovery scans are low impact because they do not analyze discovered services for vulnerabilities or exploits. The Information Security Office performs quarterly discovery scans of all server subnets of City systems, which are part of the IT Security Policy, as well as on-demand scanning.

Severity Definitions

The Vulnerability Management scanner assigns every vulnerability in its Knowledge Base a severity level, which is determined by the security risk associated with its exploitation. The possible consequences related to each vulnerability gathered are described below.