Vulnerability management is a continual, proactive process that helps to improve your security posture and keep assets safe from cyberattacks. The Nectar@Auckland team helps to identify and fix vulnerabilities with your help... |
What is a vulnerability:
- A weakness in system procedures, design, implementation, or controls.
- Simply put, in a cloud computing environment a vulnerability is a weakness in your Virtual Machine (VM) which could be the operating system (e.g., Ubuntu) or application (software you run).
How do we detect vulnerabilities?
University of Auckland uses a variety of security tools to monitor and manage security of Nectar, including Tenable to scan Nectar VMs.
How are researchers notified of vulnerabilities?
If vulnerabilities are detected on your Nectar instance/s, a ticket will be created in the Nectar help desk that outlines the issue and provide resolution assistance. You will also receive an email notification of the ticket. The contact person associated with the project will be the email recipient.
Why is this the researchers responsibility?
Nectar Cloud is a self-service cloud computing platform. This provides pros and cons. You have absolute freedom to configure VMs how you want (e.g., install software, open ports, expose services). However, you are ultimately responsible to ensure that it works and that it is secure (and meets university IT and security requirements). If Nectar Cloud sounds like the wrong fit for you, please review the Research Virtual Machines page on the Research Hub for alternative options.
What action do you need to take?
We ask that you attend to whatever remedial action is needed. The urgency depends on the detected severity of the vulnerabilities. If detected vulnerabilities of an instance are not addressed in time, we may limit network access to internal and/or lock the instance. In any event, we will be in touch and support you in addressing the issues. Note that we will never delete your instance or data on Nectar Cloud resulting from a security-related event. This only occurs when the yearly project allocation is ended and has not been extended.
The table below documents expected time-lines to address your vulnerabilities:
| Severity | Description | Time frame |
|---|---|---|
| Critical | Vulnerability can be readily exploited using publicly available exploits | 14-90 days* |
| High | Vulnerability could theoretically be exploited but no exploit is available | 60-365 days* |
* Note: Variable time frames are specified for vulnerability resolution due to a variety of factors including internal vs external network visibility and exploitable vs non-exploitable vulnerabilities.
What happens if you do nothing?
The vulnerability ticket sent to you will have a "requested resolution timeframe". If you do not update your instance in the specified timeframe, we will have to take action to reduce risk to the university. There are two outcomes based on the vulnerability properties:
- Critical vulnerability with known exploit:
- Instance is paused and locked if not resolved before requested date
- All other vulnerabilities:
- Instance is put into rework restricted mode
- All ports opened using security groups are removed
- Only ports SSH 22 (for Linux) or RDP 3389 (for Windows) are opened
- These "management ports" are also restricted to VPN only connection
- Opening these ports reduces risk and provides access to resolve the issues
What should you do to avoid known vulnerabilities
The general expectation is that your system is kept up-to-date with any security-related software updates, and any vulnerabilities detected by our scans are fixed. This will help keep your system and data safe as possible. To achieve this:
- Perform system updates:
- Debian-based Linux: sudo apt update && sudo apt upgrade
- RedHat-based Linux: sudo dnf upgrade
- Microsoft Windows: Use Windows Update
- Restrict network traffic to required services:
- If a vulnerability is detected, the resolution time is determined based on the "visibility" of the server or service exposed
- If the vulnerability is exposed to the Internet, the resolution time will be shorted
- Therefore, restricting network traffic to internal, UoA networks will increase the time allocated to resolve the issue
- Use an official Nectar image:
- The official Nectar Cloud images have additional security configurations including automated security updates, rate limiting for SSH, and SSH limited to key-based authentication.
- To identify an official Nectar image, look for "Public" visibility on images
For additional help, the following support articles outline some security essentials from the Nectar team:
What is vulnerability classification?
The Centre for eResearch (CER) follows the Common Vulnerability Scoring system which indicates the severity of a vulnerability. The ratings and scores are displayed in the table below.
| Severity | Score | Description |
|---|---|---|
| Critical | 9.0 - 10.0 | Complete mission failure, death, or loss of system |
| High | 7.0 - 8.9 | Major mission degradation, severe injury, occupational illness or major system damage |
| Medium | 4.0 - 6.9 | Minor mission degradation, injury, minor occupational illness, or minor system damage |
| Low | 0.1 - 3.9 | Less than minor mission degradation, injury, occupational illness, or minor system damage |
Where can I get additional help?
If you are unsure and need additional help, please get in touch using the following email address:
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article