Vulnerability Scanning FAQ

Owned by Former user (Deleted)
Last updated: Jul 24, 2012 by Rebecca.DeweyVersion comment

Please Note: this resource is intended for IT support providers and system administrators. If you need assistance, please contact your FSP. If you have general questions, please call the UIT Call Center at 617-627-3376, and they will direct you to the appropriate group.

Vulnerability Scanning

What is Vulnerability Scanning?

Vulnerability scanning is the process of checking systems and services for known vulnerabilities. If you can find issues before a malicious user or computer does, you can fix them or limit their impact. Tufts' vulnerability scanning process is not designed to exploit any vulnerabilities, cause system crashes, or break into the service, but does let you know if your software is susceptible to these kinds of attacks.

You can run scans yourself by requesting a Nessus account . We can help you understand the results and advise you on steps you can take to analyze and respond to the findings.

There are three types of scans available:

Network-Only Vulnerability Scan

Nessus without credentials. This scan identifies network-based vulnerabilities and misconfigurations running on the services accessible over the network.

  • Identifies what services are available over the network and scans them for vulnerabilities
  • Does not attempt to exploit any found vulnerabilities or "break into" the server.
  • Does not run any denial of service type attacks.

Host-Based Vulnerability Scan

Nessus with credentials. This scan logs in to the host and identifies local vulnerabilities and misconfigurations, as well as confirms that the latest application/OS patches are installed.

  • Logs into the server (with an account supplied by an administrator) and checks the local operating system for misconfigurations, missing patches, etc.
  • Does not attempt to exploit any found vulnerabilities or "break into" the server.
  • Does not run any denial of service type attacks.

Web Application Scan

Whereas the Network/Host based vulnerability scans look for simple misconfigurations in running services, the Web Application scan looks for flaws within the programming of the web based application. Fixing them typically requires changes by the web application's developer.

  • Analyzes web-based functionality for common security misconfigurations and web application programming errors.
  • Can be run without credentials to assess functionality available prior to logging into a web application.
  • Can be run with credentials to assess functionality accessible to a specific role or user.

How Can I Get An Account?

To request an account, please fill out the .

Are Scan Results Confidential?

Yes. Scan results are confidential and are not shared with other groups, except at your request.

System Information

The Nessus server is configured to reboot weekly on Sunday nights for automated maintenance. Please do not schedule scans to run Monday between midnight and 6am.

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.