• Cybersecurity Scans
  • Cybersecurity Scanner
  • Usage Policy: who, when, how, etc.
  • Individual Scans by the Cybersecurity Team
  • Access Rights to the Scanner Service
  • Different Types of Scans
  • Creating and Running Scans
    • Summarily

Cybersecurity Scans

Cybersecurity Scanner

NOTE! Due to the new F-Secure Radar user management, teams and individuals no longer have access to the scanner and its results!

ONLY CYBERSECURITY USES THE SCANNER

At the University, the F-Secure Radar cybersecurity scanner is used to detect vulnerabilities and threats in servers and the web applications running on them.

• Individual scans can be ordered from the cybersecurity team.
• For regular needs, access to the service can be granted allowing self-service and scheduled scans.
  • Web application administrators should always aim for regular scanning.

Usage Policy: who, when, how, etc.

Who: Individuals who maintain and/or develop servers and web applications.

• Administrators/developers can be given rights to scan their own services/servers as a self-service. Cybersecurity helps with usage and interpreting the results, if needed.

When: The scanner should and must be used regularly for scanning web software for cybersecurity vulnerabilities.

• Scans should be scheduled to run, for example, weekly, and requests should be made to send notifications via email about new findings.
• Before an external consultant conducts scanning (cybersecurity audits, etc.), it’s good to first perform an internal scan to address trivial threats and vulnerabilities in advance.

How: This page helps get started and the tool’s own helps are on the page https://portal.radar.f-secure.com/support (Online Manual, Support site, etc.)

Individual Scans by the Cybersecurity Team

You can order a cybersecurity scan from: tietoturva@helsinki.fi

The request should include:

• Description of the target: the server and service .helsinki.fi names
• What should be tested (server settings, web application vulnerabilities, something else, what?)
• Who will provide test credentials for the service if features requiring login are to be tested.

Access Rights to the Scanner Service

Access rights are requested from cybersecurity@helsinki.fi (Efecte queue).

• Teams or projects should manage permissions at the group level, hence request access to an existing Scan Group or ask for one to be created.

• Scans are by default limited to the university’s IP range. Permissions for external addresses must be specially requested from the cybersecurity team.

Afterward, log into the service at: https://portal.radar.f-secure.com/dashboard

• Remember to enable two-factor authentication the first time you log in. This can be found under ‘My Profile’ at the top right if needed.

Different Types of Scans

System Scan and Web Scan are collectively known as Vulnerability Scans. System Scan

Non-disruptive, does not cause DoS states. Scans the given IP address ports with passive and active tests. Testing includes servers, firewalls, routers, gateways, etc.

Attempts to identify used products (e.g., Apache) and checks for known vulnerabilities, outdated versions, missing security updates, etc. Some products may cause false alarms (e.g., RHEL makes retroactive patches to distribution packages without updating their version numbers, so the version may appear older and more vulnerable than it actually is).

Note: System Scan can be performed by logging into the server first, which is much faster and causes fewer false alarms. This is the recommended method if possible. Web Scan

Web application auditing. Recommended to be run

• In addition to System Scan, not alone

• Regularly during the development stage of a new application as part of the development cycle (and of course during maintenance as well)

It can also be performed in a disruptive mode, which is recommended for test and development environments.

Creating and Running Scans

Note: Radar’s interface is constantly updated, so some information might be outdated. It’s a good idea to also use Radar’s own instructions (from the Support menu, requires login).

Summarily

• Create a scan.
• For destructive web scans (HTTP POST/DELETE/PUT methods), limit the areas used or run these only in separate test and development environments and use non-destructive scans in production.
• Schedule the scan to occur weekly.
• Subscribe to notifications of detected issues to the service maintenance group address.