Body
Authority: Vice Chancellor for Administration and Finance
History: ITCS Policy No. 7.104
Supersedes Policy Dated: July 23, 2002
Effective Date: September 25, 2003
Review Date: September 9, 2011
Related Policies: None
Contact for Information: Cheryl Godwin, Director of Network Services, ITCS
Introduction
- Purpose of Regulation
To prohibit the use of the university’s computers, electronic communications, or other information technology resources to perform network-based scans on any computing system without the written permission of the system owner or system administrator.
- Persons with Primary Responsibility
Primary responsibility belongs to the Chief Information Officer. The Director of Network Services coordinates technical investigations of network scanning incidents.
Regulation
It is the policy of East Carolina University that no computer system procured or managed by the university or connected to the university’s network shall be used to perform network scans on any computer system, except under the following conditions:
- A system may be scanned by the owner or the system administrator of that system.
- A person may scan a system on behalf of another only after receiving written permission signed and dated by the owner or system administrator of that system. This document shall include a specific time period during which the scan(s) may be performed. Any additional scanning shall require separate written approval.
The university network and system staff may perform network scans in an effort to resolve a service problem, as a part of normal system operations and maintenance, or to enhance the security of the systems that they manage.
The university IT security staff and internal auditing staff may perform network scans to monitor compliance with university policy, to perform security assessments or to investigate security incidents.
Definitions
- Network Port
A numeric identifier used to distinguish between different network services (i.e., HTTP, Telnet, FTP) on the same computing system. Although port numbers range from 0 to 65536, many well known services have reserved port numbers between 0 and 1024 (i.e., HTTP uses port 80, Telnet uses port 23, and FTP uses ports 20 and 21.)
To establish a session with a host, a network request must be sent to the appropriate port number on the host. That is, to establish an HTTP session with a web server, your workstation software will send a request to port 80 of the web server.
- Network Port Scanning
The process of sending data packets over the network to selected service port numbers (HTTP-80, Telnet-23, etc.) of a computing system with the purpose of identifying available network services on that system. This process is helpful for troubleshooting system problems or tightening system security.
Network port scanning is an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
- Vulnerability Scanning
The process of identifying known vulnerabilities of computing systems on the network. This process goes a step beyond identifying the available network services of a system as performed by a network port scan. The vulnerability scan will identify specific weaknesses in the operating system or application software, which can be used to compromise or crash the system. Vulnerability scanning is intrusive and should be performed with care, as some scans can cause systems to crash or to behave erratically.
The vulnerability scan is also an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
- Network Scanning
The use of a computer network for gathering information on computing systems, which may be used for system maintenance, security assessment and investigation, and for attack. This includes network port scanning and vulnerability scanning.
Threats to University Information and Information Resources
Network scanning-if used properly-is a formidable tool for protecting our information and information resources. On the other hand, unauthorized network scans pose a serious threat to the availability, integrity, and confidentiality of our electronic information and our information resources.
Unauthorized network scans can result in:
- 4.1.1 Disclosure of Sensitive Data
Network scans yield a tremendous amount of information about our networked computing systems. This information is crucial to attackers in their efforts to compromise computer systems. If a critical system is compromised, an attacker may have unlimited access to confidential data.
- 4.1.2 Loss of Service
Network attacks vary greatly in nature. The goal of the attack may be to gain control of a computing system or to simply make the system unavailable to others. Even the process of vulnerability scanning can cause a system to crash or behave erratically
- 4.1.3 Loss of Network and System Performance
Network scanning can involve hundreds or even thousands of computing systems. The sheer volume of network traffic requests can place an incredible strain on the resources of our computing systems and the university network, resulting in less than optimal performance for university users.
- 4.1.4 Loss of Reputation
As a member of the global Internet village, our actions directly affect the safety of information and information resources around the world. By allowing the university’s computing resources to be used to compromise systems belonging to our global neighbors, our reputation as a responsible member of the Internet will be tarnished.