Policy on Vulnerabilities in Machines Open to the Internet

Computers that are offering services to the Internet beyond ENCS run a risk of being remotely attacked and compromised if they have known vulnerabilities, with the consequences ranging from inconvenience through embarrassment to revelation or loss of possibly confidential research data. In order to minimize this risk, AITS regularly checks for known vulnerabilities, and based on the assessed level of risk, takes action to protect the computer (and its neighbours) against compromise.

The action taken to protect the vulnerable machine varies from immediate removal of the machine from the network if it is already infected, to a warning that the machine will have its external services cut off if it isn't appropriately patched after a grace period determined by the risk posed by the vulnerability. External access to the machine will be restored as soon as a new scan establishes that the vulnerability is no longer present.

In all cases, the owner of the machine, its administrator and its user(s) will be notified by e-mail that will include a personalized and password-protected URL providing full information about the scan as well as details about the action needed to solve the problem.

A current copy of this policy can be found HERE.

A more detailed list of procedures to be followed by AITS network administrators can be found HERE.