Qualys Scanning—University of Minnesota

Qualys Scanning—University of Minnesota
Qualys is a vulnerability scanner that is used for critical servers and servers subject to
compliance reporting. This scanner is not generally to be used for desktop or laptop
scanning. OIT has purchased a limited number of licenses (licensed by IP address
scanned) for scanning critical and other important servers.
This document provides background and responsibilities for how QualysGuard scanning,
mapping and ticket remediation tracking will be used at the University of Minnesota by
departments. Qualys maintains more extensive documentation of their product under
Help on the QualysGuard Enterprise Suite menu bar.
Business Units
Large/decentralized units (i.e., OIT) will have a Business Unit and an assigned Business
Unit Manager. The Business Unit will be able to run discovery maps and vulnerability
scans and run reports on the IP’s assigned to their Business Unit. Priority must be given
to critical servers and servers subject to compliance reporting.
Business Unit Manager Responsibilities (BUM)
 Define responsibilities of the other unit managers, scanners and readers in your
Business Unit.
 Manage users (other unit managers, scanners and readers) for your Business Unit.
This includes set up and deletions. Assign the users to Asset Groups.
 Identify to University Information Security (e-mail [email protected]) a list
of subnets your area is responsible for. This will be used for discovery mapping
your section of the network, similar to NMAP. Discovery maps are free.
 Identify to University Information Security (e-mail [email protected]) a list
of IP/IP Ranges for servers that your unit is responsible for scanning. Each IP
scanned costs money, avoid scanning IP addresses not assigned to a host.
 Set up and maintain the list of IP addresses that should be included in the Critical
Servers Reporting Asset Group for your Business Unit following the naming
convention for Asset Groups using the corresponding Business Impact level 5
(critical).
 Manage the other Asset Groups that you create to meet your scanning/reporting
needs, following the naming convention for Asset Groups. Use the Business
Impact level that meets your reporting needs.
 Discovery map your section of the network at least monthly and review the Map
reports for unknown devices.
 Scan all IP addresses in the Critical Server Reporting Asset Groups monthly.
 Review open ticket remediation for IP’s assigned to your Business Unit or Asset
group. Automated ticket generation will be turned on by Asset Group by the
Business Unit Manager.
In summary, maintain the following:
 IP addresses in the Critical Servers Reporting Asset Groups
 Review vulnerability management for servers scanned with priority for the
Critical Servers Reporting Asset Groups, see separate document- Qualys
Vulnerability Data Review for Audit Reporting.
3/23/2015
Page 1 of 8
Qualys Scanning—University of Minnesota


User accounts for your Business Unit
Optional:
o Set up additional Remediation Policies for your area.
o Set up additional report templates.
o Maintain Host Asset Information. University Information Security will
use the Function to track Solutionary/Seccuris OneStone Customer # (S1511)
Critical Servers Reporting Asset Groups:
These asset groups should contain the critical servers for your area and be assigned
Business Impact=5 (critical). These Asset Groups will be used for reporting vulnerability
management to the internal audits department.
Critical Servers include:
 Security Level High or Medium per the Data Security Classification Policy.
Naming Conventions
 Asset Groups: COLLEGE.DEPT.subgroup _??? (???-each area can define)
 Critical Servers Reporting Asset Groups:
o CRITICAL.COLLEGE.DEPT
 Report Templates: COLLEGE.DEPT.??? (???-each area can define)
 See attached sheet for naming convention assigned for your unit.
Vulnerabilities
Qualys uses 3 categories for classifying vulnerabilities (confirmed, potential and
information). Within the category, there are 5 levels for vulnerabilities.
o Confirmed (red) – Security weaknesses verified by an “active test”
o Potential (yellow) – Security weaknesses that need manual verification
o Information (blue) – Configuration data

High Risk Vulnerabilities
o Required: Fix “Confirmed 4 & 5” (red) - must have the high severity
vulnerability mitigated (i.e., patching/configuration, other compensating
control or documented as a false positive) for internal audits reporting.
o Hosts involved in credit card processing must also mitigate all
vulnerabilities marked as PCI Failed.
o Documentation of the mitigation plan for your high severity vulnerabilities
must be in the Qualys Ticket Remediation. Tickets for unmitigated
vulnerabilities need to be documented within 30 days of scan.

Priorities for Other Vulnerabilities
o Recommended: Review “Potential 4 & 5” (yellow) and fix, if applicable
o Recommended: Review “Confirmed 1, 2 & 3” (red) and fix, if applicable
o Recommended: Review & assess the risk with the other vulnerabilities and
fix if applicable
3/23/2015
Page 2 of 8
Qualys Scanning—University of Minnesota
Additional information on Set Up, Scans, Maps, Ticket Remediation &
Reports
Asset Groups (See Asset Group Image)
o Follow the naming conventions for Asset Groups.
o IPs, list all the IP addresses or IP ranges to be included in the Asset Group.
o Scanner Appliances, select all listed.
o Business/CVSS Information:
o Critical Server Asset Groups- change the default Business Impact to 5
(critical).
o Other Asset Groups - the information on this tab is optional
Asset Group Business/CVSS Information
o Division, Function, Location fields and Business Impact can be maintained for
each Asset Group by the user creating the Asset Group.
o Business Impact must be set to 5 for the Critical Servers Asset Groups.
o CVSS Environmental Metric Info is not being used.
Host Asset Information
o Location, Function and Asset Tag fields are maintained on individual host IP’s.
o University Information Security will use the Function field to make notations (i.e.,
S-1511) related to Solutionary/Seccuris OneStone monitoring of an IP.
User Accounts
o General Information, all fields with an asterisk are required.
o User role, select
 Scanner – scan & map IP addresses in your assigned Asset Groups; create
& run reports and manage tickets.
 Reader – create & run reports for your assigned Asset Groups and manage
tickets
 Unit Manager – same privileges as Scanner with the exception, you
manage user accounts for your unit
o Asset Group, assign one or more Asset Groups to the user.
o Advanced options, displays Permissions and Options tabs.
Scans (See Scan Asset Group, Scan Host and Scheduled Scan images)
o There are multiple scan policies and options for scheduling scans. Here are the
basics.
 Schedule scan or scan immediately
 Option Profile: U of M Initial Options (default); PCI scans use Payment
Card Industry Options—PCI policy can be more aggressive
 Scanner Appliance:
 All Scanners in Asset Group;
 External for scan from outside the U network.
3/23/2015
Page 3 of 8
Qualys Scanning—University of Minnesota

Select an internal scan appliance when listing IP addresses or
ranges. If not scanning an entire asset group, the external scanner
is used instead of internal.
 Scan by Asset Group, Select IPs or IP Range
o When the scan is completed, users can view the scan report.
Ticket Remediation
o The main remediation policy will create tickets for all confirmed 4 & 5
vulnerabilities for the IP’s in the Critical Servers Reporting Asset Groups.
 Tickets will be assigned to the user running the scan.
 Deadline date for determining overdue tickets will be 30 days.
o Business Units can set up additional remediation policies for their area.
Reports
o Technical Report- Select Asset Group or IP
 Results as of the last scan
 Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5)
 Details on how to fix
 Very large report
o Technical Report-Select Scan Results
 Results from a specific scan
 Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5)
 Details on how to fix
 Very large report
o UMN-Summary Report
 Results as of the last scan
 Includes all vulnerabilities (confirmed, potential, info) at all levels (1-5)
 No detail on how to fix
o UMN-High Severity Report
 Results as of the last scan
 Includes confirmed vulnerabilities at levels 4 & 5
 Details on how to fix
o UMN-High Severity Summary Report—OIT Sec Reporting
 Results as of the last scan
 Includes confirmed vulnerabilities at levels 4 & 5
 Sorted by vulnerability and lists the vulnerable hosts
 No detail on how to fix
Maps
o Similar to nmap
o There are multiple discovery map policies and options for scheduling scans. Here
are the basics.
 Schedule map or map immediately
 Option Profile: University of Minnesota Initial Options (default)
3/23/2015
Page 4 of 8
Qualys Scanning—University of Minnesota

Scanner Appliance:
 All Scanners in Asset Group;
 External for scan from outside the U network
 Map by Asset Group, Select IPs or IP Range
o When the map is completed, users can view the map report.
3/23/2015
Page 5 of 8
Qualys Scanning—University of Minnesota
Images
Asset Group
3/23/2015
Page 6 of 8
Qualys Scanning—University of Minnesota
Scan Asset Group
Scan Host
3/23/2015
Page 7 of 8
Qualys Scanning—University of Minnesota
Scheduled Scan
3/23/2015
Page 8 of 8