Qualys Security Conference 2017 finds Qualys rapidly advancing in its ongoing quest to seamlessly and transparently thread security into the fabric of IT environments, and to make it essential for digital transformation.
At QSC17, happening this week in Las Vegas, Qualys executives will share how the company’s growing catalog of security and compliance apps, powered by the highly scalable Qualys Cloud Platform, can yield substantial benefits and unique advantages to our customers and partners.
It’s a well-known fact that most successful cyber attacks are easily preventable. That’s because the majority are neither highly sophisticated nor carefully customized.
Instead, they are of the “spray and pray” sort. They try to exploit known vulnerabilities for which patches are available, or to take advantage of weak configuration settings that IT departments could have handily and quickly hardened.
One recent and infamous example was the WannaCry ransomware, which infected 300,000-plus systems and disrupted critical operations globally in May. It spread using the EternalBlue exploit for a Windows vulnerability Microsoft had patched in March.
So why do many businesses, non-profit organizations and government agencies — including those with substantial cybersecurity resources and knowledge — continue falling prey to these largely unrefined and easy to deflect strikes?
In most cases, the main reason can be traced back to hygiene — of the cybersecurity type, of course. Just as personal hygiene practices reduce the risk of getting sick, applying cybersecurity hygiene principles goes a long way towards preventing security incidents.
That was the key message Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore delivered during the recent webcast “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.”
Today Microsoft released patches covering 62 vulnerabilities as part of October’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in Microsoft Office is being actively exploited in the wild.
For InfoSec pros, it’s easy to get overwhelmed by the constant noise from cybersecurity industry players — vendors, research firms, consultants, industry groups, government regulators and media outlets. A good antidote for this hyperactive chatter is to refocus on foundational InfoSec practices. That’s what SANS Institute Senior Analyst John Pescatore and I will do this week: An immersion into the Center for Internet Security’s Critical Security Controls (CSCs).
During an hour-long webcast on Sept. 28, we’ll be discussing the benefits of implementing these 20 recommended controls. Initially published in 2008, these information security best practices have been endorsed by many leading organizations and successfully adopted by thousands of InfoSec teams over the years. Now on version 6.1, the CIS CSCs map effectively to most security control frameworks, as well as regulatory and industry mandates, and are more relevant and useful than ever.
Earlier this month, after roughly six months of deliberation and planning, Google finalised their plans for staged deprecation of Symantec certificates. The process began in March 2017 when Google had announced on the Blink mailing list that they had lost confidence about Symantec’s certificate issuance policies and practices of recent years. The initial deprecation proposal was very strict and looked like it would completely paralyse Symantec, ending with limiting their certificates to validity time of less than one year.
Over time, however, a different solution emerged and Symantec agreed to handle operations of their PKI to some other CA, selecting DigiCert for the role. In return, Google agreed to a deprecation plan that will still be difficult for Symantec, but allows them to resume issuance normally afterwards. Mozilla carried out their own investigation and decided to match Google’s actions and dates. In the final twist, Symantec decided to sell their certificate business to DigiCert.
This is the third post in my series on HPKP. In my first post I declared HPKP dead, and in my second post I explored the possibility of fixing it by introducing pin revocation. Today I will consider an entirely different approach to make HPKP much safer, by changing how it’s activated.
Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows. Patches covering 27 of these vulnerabilities are labeled as Critical, and 39 can result in Remote Code Execution (RCE). According to Microsoft, one critical vulnerability impacting HoloLens has a public exploit, and there are active malware campaigns exploiting a .NET vulnerability. Microsoft has also patched the BlueBorne vulnerability that could allow an attacker to perform a man-in-the-middle attack against a Windows system.
Last year, almost exactly to the day, I declared HPKP effectively dead. I believed then—and I still do—that HPKP is too complex and too dangerous to be worth the effort. The biggest problem lies in the fact that there is no sufficient margin of safety; pinning failures are always catastrophic. That’s always bothered me and I wondered if it was possible to somehow fix HPKP without starting from scratch. That’s what this blog post is about.
If you haven’t already read my last year’s blog post, I suggest that you do so now as it will make the discussion easier to follow. I’ll wait for you patiently until you come back.
Today I am exploring the possibility of fixing HPKP with an introduction of pin revocation, which would be used in case of emergency. Please note that, even though I’ll be trying to save HPKP from a technical perspective, I am not necessarily declaring that HPKP is worth saving. The landscape of PKI had changed and today we have Certificate Transparency (CT), which addresses one set of problems that HPKP was supposed to solve, and also Certification Authority Authorization (CAA), which addresses another set of problems. One could argue that, between CT and CAA, there is perhaps not enough left for HPKP to do, given its complexities. I’ll leave that discussion for some other time. For now, let’s attempt the challenge of making HPKP more palatable. Continue reading …
End users and their devices are right smack in the center of the battle between enterprise InfoSec teams and malicious hackers, and it’s not hard to see why.
When compromised, connected endpoints — desktops, laptops, smartphones, tablets — offer intruders major entry points into corporate networks. However, end users are also their organizations’ best threat detection tools.
That’s a key takeaway from SANS Institute’s “2017 Threat Landscape Survey: Users on the Front Line,” a report published in August and co-sponsored by Qualys.
The study, conducted in May and June, polled 263 IT and InfoSec pros from companies of all sizes and major industries such as finance, government, technology and education.
It found that most of the top intrusion methods reported by respondents sought to directly or indirectly compromise end users or their devices. Hackers’ preferred threat vectors included:
- Email attachment or link (flagged by 74 percent of respondents)
- Web-based drive by or download (48 percent)
- App vulnerabilities on endpoints (30 percent)
- Web server / web app vulnerabilities (26 percent)
- Removable storage devices (26 percent)