Vulnerability Scans Performed By IMSS Information Security: What's Involved
Please note that unauthorized scanning to or from Caltech systems is not permitted. It is a violation of our acceptable use policy. In addition, since scanning is often either an indication of system compromise or of malicious intent, we treat it as such. Scanning from off-campus is assumed to be reconnaissance prior to an attack, while scanning from inside campus is assumed to indicate that the system in question has already been compromised. If you wish to perform scans on your own systems, please contact Information Security prior to doing so, and tell us the precise nature and scope of your intended activity.
IMSS Information Security performs security vulnerability scans on Caltech campus systems upon request from the system's owner; on systems that have been rebuilt following a compromise; and as needed at the discretion of Information Security, generally as part of an investigation of suspicious-looking network activity.
Please note that we do not scan systems that are outside the Caltech network.
Currently the primary scanning tool we use for this purpose is Nessus, although other tools may be used as appropriate.
Why do a vulnerability scan?
Scans performed by Information Security allow a system's owner to learn in advance about security vulnerabilities specific to that system. There are no special privileges being used to accomplish these security scans. Note that anyone, anywhere on the Internet could also run an equivalent scan of any system that is directly connected to the Internet (i.e., not behind a firewall or similar device). In fact, they may already have done so in preparation for an attack.
Some users think that since they aren't a bank or a top-secret defense researcher, no one will be interested in breaking into their systems. In fact, there are a number of reasons that a malicious individual might have for compromising a particular computer. The intention could be to use your system as a starting point or stepping stone from which to launch attacks on the attacker's real target, thereby confusing the issue of where the attack originated. The intention could also be to use your computer's hard drive to store and distribute illegal software such as pirated programs, movies, games, music, or hacking tools. This allows the owner of the compromised system to take the blame when such materials are discovered.
When Information Security scans a system, who gets the results?
The results of a vulnerability scan are seen by IMSS Information Security staff, and can also be sent to the individual in charge of the system being scanned. In the case of student house computers, both the student who owns the system and their IMSS house rep are notified if a system appears to have specific vulnerabilities that need to be fixed. Scan results can be sent in cleartext or encrypted email upon request. If you prefer your results to be sent in encrypted form, please let us know, and be sure to send us your PGP public key or S/MIME certificate.
Does Information Security look at my files when scanning my computer?
IMSS does not look at the contents of your files, whether they reside on an IMSS-managed computer, or on a personal system being scanned for security vulnerabilities. In addition, the scanning software we use does not allow this type of access. The security vulnerability scans performed by Information Security only check for potential vulnerabilites; they do not actually exercise any of them. The scanning tool we currently use looks to see what ports are open on a given system, and notes the operating system in use. If daemons or services allowing any form of remote access are in use on the system, that fact is noted and the scanning tool attempts establish a connection and determine the version and whether the services running are subject to any known security holes.
Questions? Comments? Want to request a scan?
Send mail to email@example.com