Vulnerability Notifications
The Office of Information Assurance (OIA) distributes notices to designated email addresses when assets are identified as vulnerable. These notifications may include an attached file containing detailed information, using the naming convention unknown-YYYY-MM-DD.csv (e.g., unknown-2020-01-01.csv).
Why Remediating Vulnerabilities Is Important
Protects against cyberattacks
Patching closes known security vulnerabilities in software and operating systems, preventing attackers from gaining unauthorized access, deploying malware, or launching ransomware attacks.
Reduces risk of data breaches
A significant percentage of breaches (approximately 60% in multiple studies) result from unpatched vulnerabilities—one of the most common and preventable attack vectors.
Reference Articles(External):
- ServiceNow - Costs and Consequences of Gaps in Vulnerability Response
- BitDefender - 60% of Breaches in 2019 Involved Unpatched Vulnerabilities
- Bank Info Security - Unpatched Vulnerabilities Cause 60% of Cyber Compromises
Prevents exploitation of known flaws
Many vulnerabilities are publicly disclosed through CVEs, and attackers often exploit them rapidly—frequently within 48 hours of disclosure.
Reference Articles(External):
- InfoSecurity Magazine - 61% of Hackers Use New Exploit Code within 48Hours of Attack
- The Hacker News - When Attacks Come Faster Than Patches
- Byte Iota - CVE Crisis 2025: 46,701 Bugs, 28% Exploited in 24 Hours
Improves system stability and performance
Security patches often include bug fixes and performance improvements, reducing crashes, memory leaks, and other operational issues.
Ensures compliance with regulations
Regular vulnerability remediation helps UCSD meet legal and industry requirements (e.g., GLBA, IS3, FERPA, HIPAA, PCI), reducing the risk of fines or penalties.
Minimizes downtime and financial losses
Unpatched systems are more susceptible to compromise, leading to service disruptions, data loss, and costly incident response efforts.
Defends against evolving threats
With the increasing volume of vulnerabilities and zero-day exploits, timely remediation is essential to stay ahead of automated and sophisticated attacks.
AWS IAM Users with Expired Credentials
Search IDs: ucsd_access_expired_iam, ucsd_lambdagen_access_expired_access_key, ucsd_lambdagen_access_expired_password
Expired IAM user console access and API keys create unnecessary security and compliance risks by leaving inactive credentials available for misuse. Disabling expired console access and deleting expired API keys will reduce the attack surface, ensure alignment with standards like UCOP IS-3. Automating this process minimizes administrative overhead while preventing accidental use of stale credentials. This policy strengthens our security posture with minimal cost or disruption.
Endpoint Security Leaderboard
Search ID: its_endpoint_leaderboard
This leaderboard illustrates the progress made by each system administrator group (contact), allowing managers and supervisors to determine who need assistance. For each contact, the score is calculated with 75% weight to the percentage of hosts compliant with endpoint security agents, and 25% weight to the vulnerability score, which is based on the average duration of active, severity 4 or 5, public facing vulnerability detections.
Hosts on Banned Equipment
Search ID: ucsd_network_banned_equipment
The United States Department of Defense has banned certain equipment manufacturers from having a presence on the UCSD network. Notifications are sent to the primary contact hosting this equipment; you will find the IP address, MAC address, MAC vendor, VLAN, and day/time it was last seen on the network. We are obligated to report to certify to the Federal Government that our network does not contain any of the banned equipment. Please note that this prohibition is in fact nuanced, but it requires us to understand precisely what the banned equipment is, and if it must be removed to have a remediation plan in place.
Hosts Missing Security Agent(s)
Search ID: its_asset_csog_hosts_noncompliant
All hosts are required to have endpoint security agents (e.g., Qualys Cloud Agent, Trellix HX). Installing these agent will discover vulnerabilities, and detect/prevent malicious files and activity.
Vulnerabilities on Cloud Resources for Prioritized Signature(s)
Search ID: ucsd_vuln_fsc
There are a large number of critical and high severity vulnerabilities, and it can be difficult to know where to start. In addition to risk scoring vulnerabilities, determining the feasibility, or ease-of-patching can help prioritize vulnerabilities. Effectively, this will reduce the overall risk of the program by remediating the low hanging fruit that has slipped through the cracks, and is categorized as a high risk.
Vulnerabilities on Containers
Search ID: its_vuln_container_detections
Our current vulnerability management strategy is primarily focused on host-level threats. While this has served us well in securing traditional infrastructure, the increasing adoption of containerized applications exposes us to a new class of risks. Containers, by design, introduce layers of abstraction that can harbor vulnerabilities at multiple levels—especially at runtime and within Infrastructure as Code (IaC) definitions. To maintain a robust security posture, we must extend our vulnerability scanning and remediation efforts to include containers.
Vulnerabilities on Hosts for Prioritized Application(s)
Search ID: its_emailgen_vuln_priority
There are a large number of critical and high severity vulnerabilities, and it can be difficult to know where to start. In addition to risk scoring vulnerable hosts, determining the feasibility, or ease-of-patching can help prioritize vulnerabilities. Effectively, this will reduce the overall risk of the program by remediating the low hanging fruit that has slipped through the cracks, and is categorized as a high risk.
Vulnerabilities on Hosts Public-Facing
Search ID: its_vuln_public_facing
As cyber threats grow more sophisticated and frequent, organizations must proactively manage risk to their public-facing digital assets. This business case proposes implementing a process to notify responsible teams when vulnerabilities are discovered on these assets. Timely notification and remediation will reduce the organization's exposure to external threats, maintain customer trust, and support regulatory compliance.
FAQ
- Asset Discrepancies
- Review Service Now and InfoBlox. For changes to asset inventory contact Hostmaster, hostmaster@ucsd.edu.
- Further Information on Vulnerability Notices
- Access to the TechWiki page, please contact Support.
- Vulnerability Platform
- Access to Qualys, please contact security. Scans are continuous and from public scanners. Requesting a 'final' scan can take up to a week.
- Any other issues or questions about notifications, please contact security.