Qualys Blog

It didn’t have to happen.

That’s the simple yet profound lesson from WannaCry’s ransomware rampage that has infected 300,000-plus systems in more than 150 countries, disrupting critical operations across industries, including healthcare, government, transportation and finance.

If vulnerable systems had been patched and maintained as part of a proactive and comprehensive system configuration and vulnerability management program, the attack would have been a dud, barely registering on anyone’s InfoSec radar.

“WannaCry was totally preventable with the proper patching and the proper build configurations,” Mark Butler, Qualys’ Chief Information Security Officer (CISO), said during a webcast this week. “That’s a reminder to all of us that you didn’t have to be a victim.”

There are various workarounds for mitigating the underlying WannaCry vulnerability, but those are stopgap measures. “The primary way to remediate this vulnerability is through disciplined and timely patching,” Qualys Product Management Director Jimmy Graham said during the webcast, titled “How to Rapidly Identify Assets at Risk to WannaCry Ransomware.”

Continue reading …

To assess infections from WannaCry ransomware and threat exposure from the Shadow Brokers vulnerabilities across an entire IT environment, it’s helpful to visualize your exposure via dynamic dashboards.

Using Qualys AssetView and ThreatPROTECT, I created a single-pane incident response dashboard containing six key data points that provide a complete picture to assess both infection of WannaCry and threat exposure from the Shadow Brokers vulnerabilities. With the data from this dashboard, you can take immediate action against WannaCry. Each dashboard element automatically collects trend data that allows customers to track their remediation efforts over time.

See Visualizing WannaCry and Shadow Brokers: How to Configure Dashboards in AssetView for the details of the dashboard, including how to create dashboards in Qualys AssetView and specifically how I built the dashboard for WannaCry and Shadow Brokers.

Continue reading …

To manage privileged credentials, especially across multiple systems in complex environments, many organizations use privileged account security solutions. Qualys has integrated with such solutions for a long time, and has recently upgraded its CyberArk integration to include CyberArk Application Identity Manager. This provides organizations a simplified way to manage access to privileged credentials (passwords and SSH keys) while performing vulnerability and compliance trusted scanning, without the need to store credentials in the Qualys platform.

Continue reading …

The looming deadline for complying with the EU’s General Data Protection Regulation (GDPR) is shining the spotlight on a foundational InfoSec best practice: A comprehensive IT asset inventory.

The reason: GDPR places strict requirements on the way a business handles the personally identifiable information (PII) of EU residents. For example, companies must know what PII they hold on these individuals, where it’s kept, with whom they’re sharing it, how they’re protecting it, and for what purposes it’s being used.

An organization can’t expect to comply with GDPR if it lacks full visibility into the IT assets — hardware and software — that it’s using to process, transmit, analyze and store this data.

“If you don’t know what IT assets you’ve got, how can you effectively find the data on your network that you need to meet GDPR requirements?” said Darron Gibbard, Qualys’ Chief Technical Security Officer for the EMEA region, during a recent webcast.

Continue reading …

This new release of the Qualys Cloud Suite, version 8.10, includes new capabilities and improvements to for VM, PC and shared platform improvements:

• Authentication Vault integration with BeyondTrust
• Mandate-Based reporting for Policy Compliance to simplify reporting against multiple mandates and audit frameworks.
• Expanded support & features for scanning Cloud Environments such as Amazon EC2, Azure, and Google GCE.
• VM Scanning, Reporting, and SSL Labs Improvements
• Ability to export/import UDC definitions with Policy XML and Qualys Library Content
• Policy Compliance support for PostGRE SQL and UDC Support for Amazon Linux 2016

See Also:

• Qualys Cloud Platform 8.10 (VM/PC) API Notification 1
• Qualys Cloud Platform 8.10 (VM/PC) API Notification 2

Continue reading …

In what may be the first public weaponizing of April’s Shadow Brokers dump of NSA exploits, a ransomware attack has crippled IT systems globally and disrupted operations at major organizations, including patient services at UK hospitals.

About 80,000 infections have been detected in about 100 countries at the time of this writing, and the attack, which uses the WannaCry (WanaCrypt0r 2.0) ransomware, continues to spread.

Continue reading …

Qualys’ library of built-in policies makes it easy to comply with commonly adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library monthly.

This release includes new policies and updates covering:

• Initial coverage for DISA STIG on Windows
• SCM for Windows Server 2016
• New CIS versions for CentOS, Windows Server 2008 R2/2012 R2
• Several updates to minor versions for Vendor Recommended and CIS policies.

Continue reading …

Last week, Intel published a security advisory (INTEL-SA-00075) regarding a new vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). The firmware versions impacted are 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6. In addition to the vulnerability disclosure, details of how to exploit it remotely has been released publicly.

Exploitation of this vulnerability could allow an attacker to gain complete control of an affected system. Updated firmwares will be released by the system OEM, but Intel has provided mitigation steps to prevent remote exploitation of the vulnerability. The Qualys Cloud Platform can help you detect any vulnerable systems, allowing you to quickly target them for mitigation.

Continue reading …

Flash has been the top target for exploit kits and we have observed that defender behavior, i.e. how fast patches are applied along with other factors in the threat landscape could have led to a decline in the number of Flash vulnerabilities being weaponized in exploit kits.  In 2016, the time to patch 80% of Flash vulnerabilities reduced by more than half to 62 days as compared to the previous year when it was 144 days. This data is based on more than 3 billion scans performed by Qualys and could be one of the contributing factors why Flash-based attack integration in exploit kits is declining. If organizations patch quickly it gives less time for exploit kits to integrate the exploits and the chances of phishing vulnerable users reduce greatly if more machines are patched quickly.

Continue reading …

Hours before today’s Patch Tuesday release on the eve of May 8, Microsoft released an emergency updated to fix a vulnerability in their Malware Protection Engine. This critical vulnerability allows an attacker to take complete control of the victim’s machine by just sending an e-mail attachment. When the malware protection engine scans the attachment the malicious code in the file gets executed, allowing the attacker complete and full access to the computer. The attack can also be carried out by sending the file via an instant message or having the victim download the file from a website. It is absolutely essential that organizations using Microsoft Malware Protection Engine make sure that they are at version Version 1.1.13704.0 or later. Users should also check if they are patched for CVE-2017-0290, which was released for the same issue today.

In today’s Patch Tuesday update Microsoft released a total of 57 vulnerability fixes. Highest priority should go to patching 0-day issues which are actively exploited.  On top of our list is the Office patch for CVE-2017-0261 which is triggered when a victim opens an Office file containing a malformed graphics image.  The file could be delivered via email or any other means. As this is actively exploited in the wild and attackers can take complete control of the victim system, this should be treated with priority.

Continue reading …