With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, protecting these environments is critical for compliance with the EU’s General Data Protection Regulation (GDPR).

These public cloud platforms are being used to power digital transformation initiatives across a wide variety of business functions, including supply chain management, customer support, employee collaboration, sales and marketing.

In all of these business tasks that are being digitally transformed in the cloud, customer personal data regulated by GDPR is likely to be stored, processed and shared.

Continue reading …

Operating since 2015, a threat group dubbed Orangeworm has been newly attributed to hacking and infiltrating healthcare groups around the world.  Companies specifically targeted include hospitals, healthcare providers, pharmaceuticals, IT services firms serving the healthcare industry, and more.  (Healthcare Informatics Institute describes this in more detail.)

The victims are specific, targeted, and global with 17% of victims in the US, 7% in India, 7% in Saudi Arabia, 5% in Philippines, 5% in Germany, Hungary and United Kingdom, with seventeen other countries each with 2% of infections.  Analysts are still investigating the campaign tactics, techniques, and procedures (TTPs) of the Orangeworm group to determine their objectives whether espionage of the medical systems themselves, to steal patient data, or potential future sabotage or ransom.

Continue reading …

In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of Qualys Web Application Scanning (WAS) 6.0, testing your REST APIs is easier than ever thanks to support for Swagger.

About Swagger

Swagger is a widely-adopted specification that allows for programmatically describing REST APIs. This is accomplished via a Swagger file, which may be in either JSON or YAML format. The Swagger file provides all the details about the APIs and how to invoke them. This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, authentication mechanisms, and so on.

Continue reading …

It’s happening more and more.

High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.

Even if the vulnerabilities aren’t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.

Often, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.

“Should I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I’m going to argue that that’s not always the case,” Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.

Continue reading …

Contact lenses that access the Internet literally at the blink of an eye. Toilets that detect cancer-indicating enzymes. Human settlements on Mars. Beaming one’s mind into outer space using lasers. Watching a video of your dreams after you wake up.

Those were just a few of the mind-blowing predictions made by Dr. Michio Kaku at RSA Conference 2018, where he transformed Qualys’ expo booth into a time-traveling vehicle.

For about 30 minutes on Tuesday, the famed physicist led his entranced audience on a spellbinding journey to a future he believes will become a reality in the decades to come.

A new golden age of space travel is upon us

Anchoring many of the advances he described is what he calls a second golden age of space travel, which will trigger and accelerate groundbreaking innovations in artificial intelligence, biotechnology and nanotechnology.

Continue reading …

What does the “My Little Pony” television series and cyber security have in common? Ask Qualys Chief Product Officer Sumedh Thakar.

Whenever his 7-year old daughter wanted to see an episode of this show, the process involved multiple steps: Turning on the smart TV, scrolling through the app menu, picking Netflix, searching for “My Little Pony,” navigating the seasons and list of episodes, and finally clicking on the one she wanted to watch.

But that process became a thing of the past at Thakar’s house after he got a Google Home smart speaker and home assistant, and linked it up with his smart TV.  Now all his daughter needs to do is tell Google Home to play her favorite show on the living room TV, and all the steps are carried out in an automated, seamless way, without anyone even having to grab the TV remote control.

“That’s transparent,” Thakar said on Monday during his keynote speech at the Cloud Security Alliance (CSA) Summit being held at the RSA Conference in San Francisco.

Continue reading …

In this ongoing blog series on preparing for complying with the EU’s General Data Protection Regulation (GDPR), we’ve explained the importance of having solid, foundational security practices like asset management and threat prioritization. Today, we’ll discuss how another such practice can help organizations stay on the right side of GDPR: Indication of Compromise (IOC).

In a nutshell, IOC can help customers who are dealing with unauthorized access to customer personal data by an external threat actor or adversary. This makes IOC particularly relevant to GDPR’s stringent requirements for data integrity, control, accountability and protection.

To comply with GDPR, which goes into effect on May 25, companies worldwide — not just in the EU — must know what personal data of EU residents they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.

Continue reading …

Today’s Patch Tuesday is smaller than last month, but there are more critical updates this time. Out of the 63 vulnerabilities covered by the Microsoft patches, 22 of them are critical. Adobe has released 6 bulletins covering 19 vulnerabilities. According to Microsoft and Adobe, there are no active attacks against these vulnerabilities.

The majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.

Continue reading …

Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news.

Sears, Delta and Best Buy: Another vendor risk incident

What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines have in common? A customer service contractor that got hacked, compromising an undetermined number of their customers’ payment card data.

The contractor, called [24]7.ai, got breached in late September of last year, and discovered and contained the incident in mid-October. The company, which provides customer support for a variety of clients via online chats, didn’t offer details about the cause or nature of the hack in its brief statement issued Wednesday.

In its statement, Sears estimated the number of its potentially affected customers at under 100,000, and said that [24]7.ai informed it about the breach in mid-March of this year. Meanwhile, Delta said it was notified on March 28, and that it believes a “small subset” of its customers’ data was exposed, although it can’t say for sure whether the information was accessed or compromised. Best Buy said “a small fraction” of its customers may have been impacted, regardless of whether they used the chat function, according to USA Today.

It’s the latest in the recurring problem of vendor risk, in which an organization’s information security is compromised after a trusted third party — contractor, supplier, consultant, partner — suffers a breach.

Continue reading …

Tell your security story to your peers at Black Hat USA 2018!

Qualys is looking for customers excited to share their security and DevSecOps successes, best practices for building security into modern enterprises and case studies leveraging the use of the Qualys Cloud Platform. Take the stage in the Qualys booth to share your experience with Black Hat USA attendees two or three times total during exhibit hall hours on August 8 and 9.

If you would like to be considered as a presenter, please send a title and short abstract for a 20-minute presentation to David Conner at dconner@qualys.com. The call for presenters is open through Thursday, June 7, 2018.

Black Hat USA is held at Mandalay Bay Resort and Casino in Las Vegas. Qualys will provide accepted presenters with a full conference pass, and pay your airfare plus hotel expenses for the conference.

Looking for inspiration? See what customers are presenting in the Qualys booth at RSA Conference 2018.