Re: [External] Re: [SECURITY] Cybersecurity and Infrastructure Security Agency(CISA) Cyber Hygiene scan services

["Chester, Heather" <htomley () LUC EDU>]

David,
Good question.  I believe Higher Ed is under the Government Facilities sector / Education Facilities Subsector  
https://www.cisa.gov/government-facilities-sector.  Once you open this page, go to Sector Overview, “The Education 
Facilities Subsector covers pre-kindergarten through 12th grade schools, institutions of higher education, and business 
and trade schools. The subsector includes facilities that are owned by both government and private sector entities”.

Heather

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of David Allen
Sent: Wednesday, September 8, 2021 6:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [External] Re: [SECURITY] Cybersecurity and Infrastructure Security Agency(CISA) Cyber Hygiene 
scan services

We have some interest in signing up with the CISA service as well, but got hung up on the question on the service 
application form that asks "Which Critical Infrastructure Sector does your organization most closely align with?"  Is 
there any consensus which option should be selected?  Doing a quick review of the option and descriptions 
(https://www.cisa.gov/critical-infrastructure-sectors) did not provide an obvious choice for us.

-David A.

On Tue, Sep 7, 2021 at 7:44 AM Thomas Dugas <dugast () duq edu<mailto:dugast () duq edu>> wrote:
We’ve used this service for years now. I concur, they won’t be looking at anything that people scanning your network 
for vulnerabilities aren’t doing already. The difference is they actually tell you that you have an issue instead of 
exploiting the risk. It does hold a bit more weight as well when I’ve had to go to third-party service providers to 
tell them their service has a vulnerability on our network.

Foreign nation states are doing this to our networks already. At least I feel that Homeland Security is looking out for 
our better interests.

Tom Dugas
Dugast () duq edu<mailto:Dugast () duq edu>
AVP/CISO
Duquesne University

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Davis, Ken
Sent: Friday, September 3, 2021 1:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [External] Re: [SECURITY] Cybersecurity and Infrastructure Security Agency(CISA) Cyber Hygiene scan services

There are other free services that can provide potential vulnerability information from an external perspective, such 
as ShadowServer 
https://www.shadowserver.org/<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.shadowserver.org%2F&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726409022%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=WV4QhGM6vR%2BySd0M7tLXNO4v6a8F9j5%2B%2By1jmjgHv80%3D&reserved=0>

The Shadowserver 
Foundation<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.shadowserver.org%2F&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726418983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=AeVt9IzLdSJOffLcmq53JQcUc0GQdPMM1ZXlNh4hDrM%3D&reserved=0>
The Shadowserver Foundation is a nonprofit security organization working altruistically behind the scenes to make the 
Internet more secure for everyone.
www.shadowserver.org<http://www.shadowserver.org>


--Ken


________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Kevin Ledbetter <kevin.ledbetter () VALPO EDU<mailto:kevin.ledbetter () VALPO EDU>>
Sent: Friday, September 3, 2021 8:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Cybersecurity and Infrastructure Security Agency(CISA) Cyber Hygiene scan services

I think the feds are our side.


On Fri, Sep 3, 2021 at 10:09 AM Ken Connelly <ken.connelly () uni edu<mailto:ken.connelly () uni edu>> wrote:
THIS!!

Plus my general paranoia about giving the feds permission to do this. Not that they can't/couldn't/wouldn't do it 
anyway, but if I say "ok", then I said "ok" and they have permission.

-ken
On 9/3/21 9:03 AM, Koppel, Lorna wrote:

Hi Everyone,



I too am interested in trying their services.  I ran into concerns from legal and others about the perception of having 
a government agency looking at our network especially with people being nervous about immigration.  Anyone else dealt 
with that?



Thanks,

Lorna



Lorna L. Koppel

Director of Information Security

Office of Information Security (OIS)
Tufts University
169 Holland 
Street<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Foutlook.office.com%2Fmail%2Fdeeplink%2Fcompose%2FAAMkADMwMDljOTgzLWE4ZDItNDE3YS05MGVlLTllZmRjNjU1OGI0MQBGAAAAAADcDQBefXDTQL6Rle4B4f5rBwDYXT5XZThPQK6AlMmSrZQmAAAAea7OAAAPz2fB03mORptgvBpr7W1SAAAI%252B34CAAA%253D%3Fversion%3D2019123003.04%26popoutv2%3D1&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726418983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=I213HC597VO95bb6SyY%2Fi4tnT%2B9fbwrAbYFuBav1vU4%3D&reserved=0>
Somerville, MA 
02144<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Foutlook.office.com%2Fmail%2Fdeeplink%2Fcompose%2FAAMkADMwMDljOTgzLWE4ZDItNDE3YS05MGVlLTllZmRjNjU1OGI0MQBGAAAAAADcDQBefXDTQL6Rle4B4f5rBwDYXT5XZThPQK6AlMmSrZQmAAAAea7OAAAPz2fB03mORptgvBpr7W1SAAAI%252B34CAAA%253D%3Fversion%3D2019123003.04%26popoutv2%3D1&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726428937%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=tel4XrIQXG0%2BFCQwNfBWwgKnva1CjVmR4TzAVJ3h8HU%3D&reserved=0>
Phone: 617.627.0885

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU><mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> On Behalf Of Valerie Smith
Sent: Friday, September 3, 2021 10:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Cybersecurity and Infrastructure Security Agency(CISA) Cyber Hygiene scan services



Hi Vince,



We've used it for almost a year now and we really like it. It's essentially just Nessus but they send a weekly pdf 
report with good info, charts, and graphs (the original Nessus data is embedded as an attachment in the appendix too). 
I've used their graphs in reports to management. And being able to say "DHS says this is a critical vulnerability" has 
helped get people to act a little quicker with remediations than they may have otherwise. ;)



Also they send an annual report of aggregated, anonymized vuln data from across higher ed so that you can see how your 
institution compares against the average.



Let me know if you have other questions or there's anything else I can help with regarding this topic.



Thanks,

Val


Valerie Smith, CISSP (she/her)

Sr. Information Security Analyst

SUNY Geneseo

vsmith () geneseo edu<mailto:vsmith () geneseo edu>





On Fri, Sep 3, 2021 at 9:43 AM Vince Bonura <vbonura () fordham edu<mailto:vbonura () fordham edu>> wrote:

Good morning, All!



I am writing to inquire whether anyone is taking advantage of the Cybersecurity and Infrastructure Security 
Agency(CISA) Cyber Hygiene scan services?



We became aware of it recently and are considering signing up. Since it’s a free service, and another way to test the 
vulnerabilities of your publicly accessible networks, it seems like a no-brainer.



But we are curious who is/has used it and what you thought of their findings.



Thanks in advance!



Vince Bonura

IT Risk Analyst



Fordham University

(718) 817-1875

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726428937%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=BP%2Frb7%2F237briaSo0DKVJDR6SzlaUiKtMyKDoy4Vdmc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726438893%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3fw30oLgrEqV78gS41wZEeQnaIMXKplxSgob9b%2BiXdU%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726438893%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3fw30oLgrEqV78gS41wZEeQnaIMXKplxSgob9b%2BiXdU%3D&reserved=0>


--

- Ken

=================================================================

Ken Connelly                       Director, Information Security

Information Security Officer          University of Northern Iowa

email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu>   p: (319) 273-5850 f: (319) 273-3010



Any request to divulge your UNI password via e-mail is fraudulent!

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726438893%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3fw30oLgrEqV78gS41wZEeQnaIMXKplxSgob9b%2BiXdU%3D&reserved=0>


--
Kevin Ledbetter
Systems Security Administrator
Office of Information Technology

1700 Chapel Drive
Valparaiso, IN 46383
219.464.6191
Staff Employee Advocacy Council
Kevin.Ledbetter () valpo edu<mailto:Kevin.Ledbetter () valpo edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726448852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=sxygUw5vw68%2FwKbU804aTMhp5Z6psHSkcyH4HBauXok%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdugast%40DUQ.EDU%7Cd795f89450d4430ab10908d96efc6db2%7C12c44311cf844e4195c38df690b1eb61%7C0%7C1%7C637662852726448852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=sxygUw5vw68%2FwKbU804aTMhp5Z6psHSkcyH4HBauXok%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
David P. Allen
Director for Enterprise Systems
Information & Technology Services
Pacific Lutheran University
t: 253-535-7524
pronouns: he/him/his

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community