Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cybersecurity and Infrastructure Security Agency(CISA) Cyber Hygiene scan services

From: Sean Hagan <sean.hagan () ALASKA EDU>
Date: Fri, 3 Sep 2021 07:02:47 -0700
Vince - We've used the Cyber Hygiene (CyHy) service at my previous
institution for about 5 years - it's been a great resource to supplement
internal scanning.  At my current institution, we signed up two months ago
and CISA was very prompt in getting things setup and the reports are just
as useful (if not moreso, given our limited internal capabilities).

As Andrew points out, there is a related free service from CISA - WAS, or
web application scanning.  You may want to consider signing up for it since
it's free and focuses on different vulnerabilities.

One thing to plan for - how will you share detected vulnerabilities
internally?  The PDF you'll get from CISA is password protected and
includes a number of appendices with attachments, and since they're likely
scanning your entire external address space, that will necessarily
encompass devices managed by multiple different people/groups/departments,
most of whom likely won't be on the distribution list for the CyHy report.
I don't have a good answer for you, since my previous institution was small
enough and our internal scanning had sufficient overlap that there were few
issues in communicating detected vulnerabilities.  My current institution
is so large and distributed that we haven't yet come up with an effective
way to share this information, but I'm actively working on it.

Andrew - You should definitely ping CISA again - we had our first report
within 4-7 days of completing and submitting the paperwork, and we also
have a /16.

On Fri, Sep 3, 2021 at 6:52 AM Powell, Andy <ap16 () williams edu> wrote:


Hi Vince,

  We signed up for CISA's CyHy services in July and have only received the
results of their web app scanning to date (still waiting on general vuln
scan results), and your post is a timely reminder for me to ping them again.

  Speaking only of Web App scanning, I found their scan to be helpful and
informative. They use Qualys, so their report format was familiar to me. It
surfaced several concerns, some we were previously aware of and some others
that we weren't. In my opinion, that's working as intended and we're happy
with the service.

  I can only speculate on the cause for delay on the vuln scanning side,
which I chalk up to a supply/demand crunch...we operate a /16 space, which
is probably a pretty unusual slice for CISA, who typically scans "critical
infrastructure" organizations that would work hard to reduce their internet
exposure to something less than 65,000 addresses. I'm guessing we've been
prioritized downward, and wouldn't necessarily take issue with that.

Andrew F. Powell Jr., CISSP, CCSP
Information Security Director
Williams College
22 Lab Campus Drive, Williamstown, MA, 01267
O - (413) 597 - 4340
C - (978) 502 - 0086
(he/him/his)


On Fri, Sep 3, 2021 at 9:43 AM Vince Bonura <vbonura () fordham edu> wrote:


Good morning, All!



I am writing to inquire whether anyone is taking advantage of the
Cybersecurity and Infrastructure Security Agency(CISA) Cyber Hygiene scan
services?



We became aware of it recently and are considering signing up. Since it’s
a free service, and another way to test the vulnerabilities of your
publicly accessible networks, it seems like a no-brainer.



But we are curious who is/has used it and what you thought of their
findings.



Thanks in advance!



Vince Bonura

IT Risk Analyst



Fordham University

(718) 817-1875

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: