Please complete the Vulnerability Scanning application form to commence onboarding.
The Western Australian Government Vulnerability Scanning services enables Western Australian Government Agencies to identify known vulnerabilities and misconfigurations within their ICT environments, and provides them guidance to remediate and reduce surface area for potential cyber security attacks.
This service utilises the Tenable.io, a vendor hosted, cloud-based vulnerability scanning system to identify, categorise and report on identified vulnerabilities throughout the organisations’ fleet of computing endpoints, servers, and other infrastructure. The Vulnerability Scanning service enables organisations to obtain targeted intelligence which can guide activities such as installation of patches to correct security and functionality problems in software and firmware.
The service is capable of being deployed against internally hosted infrastructure and hosted systems within WA GovNext, AWS and/or Microsoft Azure. This allows for the capture of vulnerability information across an entity’s total asset base into a holistic management and reporting service.
The results from the various scanning tools can be accessed through the individual entities’ workspaces within the Tenable.io portal. They can be used to inform internal engagement and decision-making on priority vulnerability patching and remediation.
The Vulnerability Scanning Service is comprised of the following key components:
- Tenable.io Platform
Enrolled entities are provided access to the online portal where they can configure and manage their asset scanning, set schedules, and generate online reporting dashboards or generate automated reports distributed by email. Using asset tags and role-based access controls, the services provide for isolated reporting for each entity.
- Vulnerability Scanning – External
This service performs basic scanning of an organisation’s internet-facing services for security vulnerabilities and misconfigurations. Scans are performed against pre-defined IP addresses and can be scheduled to minimise performance impacts on internet-facing services.
- Vulnerability Scanning – Internal
This service utilises the deployment of sensors within internally-hosted environments, WA GovNext, AWS and/or Microsoft Azure infrastructure to enable credentialed scanning of assets to provide detailed information to identify potential vulnerabilities within operating systems, applications, and other network devices.
Entities can also opt to deploy Tenable agents onto highly mobile assets to provide continuous vulnerability data for assets that may not be regularly connected to their internal networks.
Optional add-on Services
Entities who subscribe to the service may choose to implement other Tenable services of their choosing to provide more advanced vulnerability and threat detection, with the results being correlated into their hosted Tenable.io workspaces. Add-on services will be charged out on a full-cost recovery basis.
- Tenable.cs - Unified cloud security posture and vulnerability management.
- Tenable.io Web Application Scanning – Assess vulnerable web application components and custom code vulnerabilities.
- Tenable.asm – External attack surface management providing visibility of entities’ internet facing and connected assets.
- Tenable.ad Active Directory – Find and fix directory service weakness, detect and respond to directory attacks in real time.
- Tenable.ot – IoT/OT environment vulnerability scanning.
Implementation, Configuration and Training Services
The Office of Digital Government Cyber Security Unit (DGov CSU) will provide entities with assistance to establish and configure their Tenable.io workspaces and establish their external vulnerability scans and reports.
Smaller entities will be provided with ongoing management and support where they lack the resources and/or expertise perform these tasks themselves.
Medium and large entities can assume self-management of their Tenable.io workspaces or co-management with assisted support from the DGov CSU.
For more complex implementations the DGov CSU can engage the services of our service delivery partner CyberCX to assist with the planning and deployment of the Tenable components. Costs associated with these services will be charged back to entities that require this level of assistance.
Participating entities will be provided with a range of online training and vendor-supplied training services to maximise benefits of the service.
Business Benefits
- Enables informed engagement and decision-making based on real-time cyber threat vulnerability information to improve business and operational outcomes.
- Cloud-based scalable solution that can be deployed across all of the participating entities’ compute environments, on-premise and hybrid cloud.
- Meets the WA Government Cyber Security Policy’s requirements for undertaking vulnerability management and the scanning schedule requirements within the Essential 8
- Provides insights on managed and non-managed devices connected to entities’ networks.
Whole of Government Benefits
- Visibility and governance across internet-facing systems, applications, and firmware.
- Targeted intelligence on vulnerable software and server fleets with recommendations for correct patches.
- Enhance scanning and patching strategy to improve defences across an expanding threat landscape.
