Vulnerability Scanning
The IT Security office conducts vulnerability scanning at Virginia Tech. Vulnerability scans are designed to identify potential vulnerabilities in operating systems, application software, and network devices. A vulnerability scan can target a specific type of system (e.g. web server) or be a broad, general scan of an operating system.
What to expect when you request a scan
The IT Security office will schedule a time with you to scan your devices, as well as establish the scope of the scan. After the scan has been completed the IT security office will provide a complete copy of the vulnerability scan report.
How to request a Scan
Vulnerability scans can be requested through ServiceNow. Once submitted, an analyst with the Security Office will contact you to discuss details.
Request Vulnerability Scan (ServiceNow)
Vulnerability Scanning Overview
Why do we scan for vulnerabilities?
In order to reduce information security risks, the Virginia Tech IT Security Office (ITSO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide. The ITSO may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers.
Which systems/services/applications may be scanned?
All systems and applications connected to the campus network may be scanned. Systems and applications hosted in other networks using university domain names will also be in scope for assessment.
When will vulnerability scans be conducted?
High risk systems will be scanned quarterly and as needed to ensure vulnerability remediation has occurred.
Is it possible some reported vulnerabilities are false positives?
Yes. If you believe a reported vulnerability is a false positive or does not apply to your system in a specific context, please let us know.
From where will vulnerability scans originate?
- booberry.iso.vt.edu
- 198.82.145.75
- 2001:468:c80:212f:0:40b0:b00:b00
- cheerios.iso.vt.edu
- 198.82.145.71
- cornflakes.iso.vt.edu
- 198.82.145.70
- 2001:468:c80:212f:0:40f8:f124:1e24
- oats.iso.vt.edu
- 198.82.145.74
- 2001:468:c80:212f:0:4054:231:5105
- stream.cirt.vt.edu
- 128.173.54.101
- 2001:468:c80:c111:0:4041:bad0:cad
What data is collected and how will it be used?
Vulnerability scanning collects an inventory of potential vulnerabilities and classifications (Critical, High, Medium, Low, Informational). This data is treated as confidential university data.
What Information Security Policy and Standards is this based on?
The ITSO’s minimum security standard requires that any system or application in scope be regularly assessed for security vulnerabilities:
Minimum Security Standards for Systems
Virginia Tech Minimum Security Standards
Acceptable Use of Information Systems at Virginia Tech
Automated Vulnerability Scans
Automated vulnerability scans are separate from requested vulnerability scans. Starting in 2026, they will occur quarterly (January, April, July, October) and they will be fully automated. The goal of automated scans is to ensure critical and high risk systems are being periodically scanned for vulnerabilities whether departments have requested scans or not.
An automated scan will gather assets from ISORA, the DNS and other systems, then conduct a vulnerability scan against those assets (using a common Nessus scan template), and finally open an Incident in Service Now. The incidents will be assigned to an ITSO Red Team member who will work with departments to remediate vulnerabilities, address false positives, etc.
If you have more questions about automated vulnerability scans, please email brad@vt.edu or caeland@vt.edu.
Vulnerability Types
Note: If Critical and High vulnerabilities are not remediated, the ITSO may take action to isolate or remove vulnerable systems from the network.
| Severity | Required Remediation |
|---|---|
| Critical | Vulnerability must be remediated within 7 days. |
| High | Vulnerability must be remediated within 14 days. |
| Medium | None |
| Low | None |
| Info | None |